Serverless Authorization
In today blog post I want to talk about security, again! This is another blog post following the Serverless series, for more videos and posts on serverless go here.
This will be a quite complex blog post, as there are many moving parts involved in getting the example done. But let’s start by the beginning…
What I want to do?
I want to do secure calls to my backend (API gateway). I want only authorized requests. Before we achieve this using the API Key, but that is not very secure, because if the API Key leaks then the API Gateway will be vulnerable. So I want to use some other way, to secure the API calls. For that we will use tokens.
Tokens are created by a token machine and they are valid for a period of time. Later you can validate the tokens against the token machine when a call to an API Gateway is done.
How we do this?
To achieve this, we need to integrate many different providers and systems into the picture, and here is where serverless shines.
We will use a service called Auth0 to take care of the authentication (AWS has a similar service called Cognito). Auth0 is a company that provides the token machine, creates and validates the tokens (and many other features related to authentication).
Then we will have an API Gateway with 2 lambdas attached. One lambda will be working with the API Gateway as normal and we will have another one that will be the authorizer.
The authorizer Lambda, will call Auth0 and verify that the token is valid, and if it’s valid will create a valid policy, that can be evaluated and then the normal Lamdba can execute.
Steps to achieve this
- The first step is to register an account in Auth0, and create a new client. Auth0 is free for developers, so you can try it with no problems. You can pick what kind of client you want, if is a native app or a web app. When you create the client, you will get an id, a secret and a domain that you will use in your calls to Auth0. I have created a native app for iOS swift, and I have only created a connection to Facebook authentication. But feel free to configure it as you please.
- Create a native app or web page to integrate Auth0. After registering to Auth0, you need to create some client, where the users will login and logout. You can follow Auth0 instructions on how to do that. Auth0 provides an UI already made for login. I created an iOS app, that allows an user to login with Facebook, then shows the user profile and its also possible to logout. You can find the code to the app here.
- Now let’s go to the server(less) world. Let’s create a function that does something. I am lazy so I just created a new project with serverless and used the “Hello world” function that comes as an example. Deploy it and test it.
- Let’s create the authorizer…you need to watch the video for the detail instructions
Creating and using the authorizer
If you want more info on creating your authorizer check AWS documentation about it. This is something pretty new so it can change with time.
Get the code for the authorizer from here. The authorizer is missing a config.js file where you should add something like this:
var env = {};env.AUTH0_SECRET=<auth0 secret>;
env.DOMAIN = <auth0 domain>;module.exports = env;
You can get the iOS swift app from here. The app is missing the files: Auth0.plist and Info.plist. You can check how to configure them from the Auth0 documentation.
If you like this post, like it and share it with your friends. Subscribe to the Medium page or to the YouTube channel to get notified when I launch a new blog post and video. If you have any questions or comments please let me know in the comment box bellow!
