We will build an endpoint protected with Auth0, only those applications with the correct Auth0 credentials will be able to consume our endpoint. Last but not least, all serverless using AWS Serverless Application Model (SAM) π«
Check this other repo (branch auth0) for the frontend, it has a demo link!
- You can use an existent tenant o create one to keep things more organized.
- Create an API, name it and enter an identifier/audience (it's just a name to identified this API inside our tenant).
- For our custom authorizer we'll need some data from this API we just created:
- The audience which is our Auth0 API identifier
- The issuer which is https://
<your tenant name>.<region>.auth0.com
- Clone this repo
git clone https://github.com/s4nt14go/api-gateway-auth0 - Create file
auth0/.envputting your data:
AUDIENCE=<your Auth0 data>
ISSUER=<your Auth0 data>- Check your are using your AWS credentials and the region you want
aws configure list - Choose a name for your stack
STACK=<name it> - Create a bucket where we will upload the need files to AWS
aws s3 mb s3://$STACK-stack-package
The bucket namespace is shared between all AWS users, so if you happen to choose an already taken one, try with another name.
- Deploy it!
bash deploy.sh $STACK - Once CloudFormation finishes, it will output the root url for our protected API endpoint, save it in an environmental variable as we will need it later:
API=<CloudFormation output>
TIP: As any resource you put facing the public internet it may be a good idea to limit the API Gateway use by enabling throttling and setting rate to 10 and burst to 5 with the AWS console. SAM creates the dev stage and also another default Stage, limit both.
- Get a token from Auth0 going to the Test tab in your API, there grab the command that should look something like this:
curl --request POST \ --url https://<your tenant>.<region>.auth0.com/oauth/token \ --header 'content-type: application/json' \ --data '{"client_id":"<generated by Auth0>","client_secret":"<generated by Auth0>","audience":"<your api identifier>","grant_type":"client_credentials"}'
- You'll get an object as response, put
access_tokenfield in an environmental variable:
TOKEN=<access_token from Auth0> - Consume our protected endpoint!
curl --request GET --url $API/hello -H "Authorization: Bearer $TOKEN"
You should receive the message "Autenticated call", you can also curl without the header part and you will get "Unauthorized"
Run this to delete the created resources:
aws cloudformation delete-stack --stack-name $STACK
aws s3 rm s3://$STACK-stack-package --recursive
aws s3 rb s3://$STACK-stack-package