Amazon API Gateway Custom Authorizer + OAuth

1. What is Custom Authorizer?

On Feb 11, 2016, a blog entry of AWS Compute Blog, "Introducing custom authorizers in Amazon API Gateway", announced that Custom Authorizer had been introduced into Amazon API Gateway.

Thanks to this mechanism, an API built on Amazon API Gateway can delegate validation of a Bearer token (such as an OAuth or SAML token) presented by a client application to an external authorizer. The figure below is an excerpt from the online document "Enable Amazon API Gateway Custom Authorization" and "Lambda Auth function" at the top position in the figure is an authorizer. API Gateway delegates validation of a token to the authorizer if it is configured so.

Custom Auth Work Flow

As the same as before, Amazon API Gateway itself does not provide OAuth server functionalities, but you can protect APIs built on Amazon API Gateway by OAuth access tokens by utilizing Custom Authorizer.


1.1. Before Custom Authorizer

Before Custom Authorizer was introduced, introspection and validation of an access token had to be executed in an implementation of a lambda function in order to protect APIs by OAuth access tokens. Our document "Amazon API Gateway + AWS Lambda + OAuth" shows how to do it using the old way.