Core EOS Security With AWS API Gateway

Did you know you can use Core EOS to authorize all incoming requests to AWS Gateway before the request is routed to your internal services? In this step-by-step guide, we’ll provide you the Authorizer itself so you can download the code, configure Core EOS, configure your Custom Authorizer, and deploy to AWS. Let’s get started:

Step 1

For this demonstration, we are going to generate Client Credential access tokens because it’s an easy way to create test tokens. The process will work with any access token though.

To create the tokens, lets create or pick a Product with an API service in Core EOS. All you need to do is click “create new service” in the Product, choose type API, and add “client_credentials” as the grant type. Click to add at the bottom.

This will create a service with the “Example Authorizer” Product, with an ID and Secret. Save them both:

Step 2

Also, grab your Platform Auth Group ID from the settings window and save it:

Step 3

Clone the Core EOS Authorizer project. Its written in Javascript and is MIT open source:

GitHub - UnitedEffects/core-eos-oidc-authorizer: AWS Gateway Authorizer designed to work with Core…

Step 4

Create a copy of the directory “./.env_sample/” at “./.env/” as depicted, and change the name of “env.dev.json” to an appropriate environment name configuration for deployment such as “env.qa.json” in the example. Update the JSON properties appropriately, including the client ID and Secret from step 1, the Auth Group ID from step 2, and the URL to your platform instance for JWKS_URI and CORE_URI.

• Typically CORE_URI will either be https://auth.unitedeffects.com or, if you have a custom domain, whatever you’ve set for the OIDC custom domain.
• The JWKS_URI will be your ‘CORE_URI + /AUTH_GROUP + /jwks’.
• If you’d like to specifically validate a resource audience, add the URL of that resource to the AUD property field. For our example, we’ll leave that blank.

For more information about the authorizer project and its configuration, checkout the README.

Step 5

Deploy using the following command:

The instructions assume you have Serverless Framework installed and configured to point to your AWS account; however, you can also build, zip, and manually deploy the service if you with. Keep in mind, the code is written in ES6 and uses babel to build, so lambda should route requests to the handler in ./dist/index.js to work properly.

Step 6

Choose the API in AWS Gateway that you’d like to secure. In the AWS console, within API Gateway, navigate to “Authorizers” and click “Create New Authorizer”. Fill in the fields as follows and make sure to select the lambda function you deployed in Step 5.

You may have to Add Permissions to the Lambda Function.

Step 7

Generate a Client Credential token and test your Authorizer. This is just an http request to Core EOS (CORE_URI + /AUTH_GROUP + /token) where the Client ID and Client Secret from step 1 are used as basic authorization “username” and “password”. In postman, it might look something like this, where Client ID and Client Secret have been base64 encoded to use as basic authorization in the header:

In Core EOS, the “access” scope returns any user or client permissions associated so we’ve included it here. Notice that no audience resource value was passed, ensuring that the resulting access_token is opaque and not a JWT. That said, this solution would work exactly the same way if it was a JWT. Copy the “access_token”.

Step 8

Test the access token on your authorizer by clicking test, and pasting the token into the field. The result should look something like the following:

Step 9

Wire up the specific endpoint you want to protect. With AWS Console under API Gateway, click into resources and the specific resource/method you wish to protect. In the example image, I am protecting a random “/api” resource which is itself configured as a proxy of all methods to Core EOS (just as an example).

You’ll notice initially the “Method Request” box shows “NONE” on the “Auth” configuration.

Click into the configuration and choose your new token authorizer instance.

Step 10

Deploy your new configuration of the API Gateway:

You’re all set! Now, if you make http requests to the AWS Gateway endpoint, you will need to provide a header value with Authorization = “Bearer <YOUR TOKEN>”.

Here you can see the endpoint returning a 401 Unauthorized when I hit it without a token:

And returning the proxied version data from Core EOS when I do provide a token:

With this approach, its very easy to protect all of your downstream resources behind an AWS Gateway instance. Signup today at unitedeffects.com to get started, or contact us for a demo at solution@unitedeffects.com.

Follow us on Twitter, LinkedIn and Medium and if you need help with anything related to Core EOS, do not hesitate to reach out to help@unitedeffects.com.