How to integrate AzureAD B2C with AWS API Gateway JWT Authorizer
AWS API Gateway supports out of the box JWT Authorizer which can be used for security HTTP APIs. JWT Authorizer can be used with any Identity Provider that can generate JWT tokens. All the leading Identity products in the market like AzureAD, AWS Cognito, Okta, Auth0, ForgeRock AM or similar supports OAuth 2.0 protocol and JWT Access tokens.
In this blog, we are going to see how to generate a JWT Access token using AzureAD B2C OAuth 2.0 client credentials grant and use that token for securing APIs hosted in AWS API Gateway.
The below diagram can be downloaded from GitHub : https://github.com/secinaction101/azureadawsapigateway and opened using draw.io website.
- A client app integrated with AzureAD B2C makes a token API call to get Access Token using OAuth 2.0 client credentials grant
- AzureAD B2C tenant returns a JSON response which contains the JWT Access Token
- Client app invokes the API hosted in AWS API Gateway by passing the Access Token in the Authorization header
- AWS API Gateway uses the out-of-the box JWT Authorizer to perform certain validations like token signature, audience (aud) and scopes (scp)
- If all the validations are successful, AWS API Gateway will forward the request to backend component which can be a Lambda or other resources that are supported to get the data.
- AWS API Gateway returns the data back to the client. If the validations in Step 4 fails, API Gateway will either return an Unauthorized or Forbidden error. Unauthorized error is returned if the token is not present or invalid and Forbidden error is returned if the token is valid, but required scope is not present.
You can follow the below video for end-to-end configuration of AzureAD B2C and AWS API Gateway
Key points to note
- You can register a free developer AzureAD and AWS account and use that for this configuration.
- You can follow this guide on how to configure a client that supports OAuth 2.0 client credentials grant or follow the video which explains all these steps.
- If you are facing any issues, please check the video again. The main issue that you might face is to configure the AzureAD B2C client and get an Access Token. Once that is done, it is pretty easy to configure the AWS API Gateway.
Thanks for reading this article. Please subscribe to the below YouTube channel and follow me in medium to learn about security and IAM.