AWS API Gateway

Configure an authorizer that uses Passage to protect API routes.

Prerequisites

AWS API Gateway

The AWS API Gateway provides developers with a scalable and secure entry point to their developed API services. Using a JWT Authorizer integrated with Passage allows developers to control access to their API in a native, no-code way while getting all of the passwordless benefits of Passage.

AWS JWT authorizer with Passage

AWS authorizers are designed to protect specific API routes from unauthorized requests. On routes that need protection, attach a JWT authorizer and configure it to integrate with your Passage Application. There are a few settings that need to be configured:

AWS API gateway authorizer view
  • The Name is a unique name to identify your JWT authorizer (once this has been configured it can be added to any other route you wish to protect)
  • The Identity Source is where the JWT authorizer expects to find the JWT to be in the request. By default it expects the token to be in the Authorization header (Authorization: Bearer <JWT>).
  • The Issuer URL is the Passage domain from where the JWT originates. Set your issuer URL to https://auth.passage.id/v1/apps/{PassageAppID}.
  • The Audience is used to validate that the AWS API Gateway is a valid recipient of the JWT. The Authorizer validates that the aud claim inside of the JWT matches the value entered in the Audience field. In Passage's case, this will be the app's Authentication Origin, which can be found in the Passage Console settings.

The completed form should look something like this:

AWS API gateway authorizer filled view

Create and attach the JWT authorizer and now this route will be protected from unauthorized requests. To make an authenticated request:

curl -H "Authorization: Bearer [PASSAGE_JWT]" \
  -X [METHOD] \
  https://[AWS-API-Gatway-Domain]/default/[ROUTE]

Any request with an invalid PASSAGE_JWT or a missing Authorization Header will respond with an Unauthorized 401 Response.

Accessing user information

After validating the JWT, API Gateway passes the claims in the token to the API route’s integration. Backend resources, such as Lambda functions, can access the JWT claims. For example, to get the Passage User ID for a request you will use:

$event.requestContext.authorizer.jwt.claims.sub