AWS Api Gateway: How to handle authorization, authentication, SSO, etc.

rawcoder
rawcoder used Ask the Experts™
on
I am reviewing several approaches to re-developing a node.js restful monolithic application using microservices combined with an api gateway. In looking at using the aws api gateway though there seems to be a few items I have not been able to find alot of documentation on. For one, the application I am designing has to be able to support SSO, I would like users to be able to register by either creating a local login or using their current facebook, twitter, etc. social accounts.

How would this process be handled by aws api gateway, especially since I would need to use a custom database to write to and read from, not to mention to authorizing the user?

Additionally, for example, say my microservices has the following bounded contexts:

account(login, registration, profile management),

billing(may not be ideal for serverless due to running time, may opt for docker + ec2),

friend(setting up friend associations),

file(users can upload pictures and videos to their timeline - seems to be another docker + ec2 candidate);

and I want to use an api gateway to secure all of the microservice endpoints except the ones specific to login and registration, how should this be done?

Node.js contains a package that seems to handle jwt and authentication users via facebook, twitter, local, etc. called passport, can I use this with the api gateway authentication?

Also, if the api gateway is securing the microservices, how does the request object and response object get passed between the gateway and the microservices for various requests made?

Additionally, if these items are too involved for aws api gateway and I have to build a custom api gateway and microservices, where the gateway is listening on a different port and contained in a separate docker container how should it regulate permissions for the microservices that are in other docker containers listening on other ports?

In a nutshell, any documentation that really walks through this process and answers the questions that I have listed above will be extremely helpful. Additionally, if I am looking at this the wrong way or asking the wrong kind of questions, advice in that regard would be helpful as well.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Phil PhillipsSenior Platform Engineer

Commented:
You're probably best off creating a custom authorizer. Since custom authorizers are Lambda functions, you can use the Node.js packages that you mentioned.

There's a pretty good overview of the flow of the request when using a custom authorizer here:
http://docs.aws.amazon.com/apigateway/latest/developerguide/use-custom-authorizer.html.  Hopefully that should be enough to get you started.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial