Great question! You don’t actually need to rely on Amazon Cognito user pools if you already have your own OpenID Connect (OIDC) identity provider—API Gateway has a built-in OIDC authorizer that integrates directly with your existing setup. Let’s walk through the exact steps to lock down your API:

Step 1: Gather Your OIDC Provider Details #

First, collect these three key pieces of info from your OIDC provider—you’ll need them to configure the authorizer:

• Issuer URL: The base HTTPS URL of your provider (e.g., https://my-oidc-provider.com). API Gateway uses this to fetch the provider’s public keys for validating tokens.
• Audience (Client ID): The unique client ID you registered with your OIDC provider specifically for this API Gateway integration.
• Confirm your provider issues standard JSON Web Tokens (JWTs) with required claims: iss (issuer), aud (audience), exp (expiration time), etc.

Step 2: Create an OIDC Authorizer in API Gateway #

1. Head to the API Gateway console and select your API.
2. On the left sidebar, click the Authorizers tab.
3. Hit Create New Authorizer to start setup:
   • Name: Pick a clear name (like MyAppOIDCAuthorizer) so you can easily identify it later.
   • Type: Choose OpenID Connect from the dropdown.
   • Provider URI: Paste your OIDC issuer URL here (double-check it’s HTTPS—API Gateway won’t accept HTTP).
   • Audience: Enter your client ID from the OIDC provider.
   • Leave other settings (like token validation timeout) as default unless you have specific needs.
   • Click Create to save the authorizer.

Step 3: Attach the Authorizer to Your API Methods #

Now link the authorizer to the API methods that trigger your Lambda function:

1. Go to the Resources tab of your API.
2. Select the method(s) (e.g., GET, POST) you want to protect.
3. Click Method Request in the right panel.
4. Under the Authorization section, select your newly created OIDC authorizer from the dropdown.
5. Save your changes—this tells API Gateway to check for a valid JWT before allowing access to the method.

Step 4: Test the Authorization Flow #

To verify everything works as expected:

1. Get a valid JWT from your OIDC provider using their standard authentication flow (authorization code, implicit, etc.).
2. Send a request to your API, adding the token to the Authorization header in the format: Bearer <your-jwt-token>.
3. If the token is valid (correct issuer/audience, not expired), API Gateway will forward the request to your Lambda function. If not, you’ll get a 401 Unauthorized response—exactly what you want for unauthenticated users.

Optional: Use Cognito as an OIDC Proxy (If You Need Extra Features) #

If you want advanced capabilities like token caching, custom scope validation, or deeper AWS service integration, you can use Amazon Cognito as a middle layer:

1. Create a Cognito user pool, then navigate to the Identity Providers tab and add your existing OIDC provider.
2. Configure a user pool client to use this OIDC provider for authentication.
3. Create a Cognito User Pool Authorizer in API Gateway, pointing to your Cognito user pool.
4. This setup lets Cognito handle token validation and adds AWS-specific tools, but it’s an extra layer—stick with the built-in OIDC authorizer if you don’t need these extras.

Key Things to Remember #

• API Gateway automatically fetches your OIDC provider’s public keys from the /.well-known/openid-configuration endpoint—make sure this endpoint is publicly accessible.
• For simple validation needs, the built-in OIDC authorizer is perfect. If you need custom logic (like checking specific claims), you can use a Lambda authorizer instead, but that’s more work.
• Don’t forget to deploy your API to a stage after making changes—authorizer settings won’t take effect until you deploy!

内容的提问来源于stack exchange，提问作者Gasp0de