Secure Amazon Gateway APIs using OAuth with WSO2 Identity Server

AWS Gateway is a commonly used cloud based API gateway which use to expose open APIs. Keeping open APIs is not a good idea for enterprise platforms where they want to let their consumers to experience a secure user friendly service API consumption.

WSO2 Identity Server is the best solution for this requirement. WSO2 IS is providing fully functional OAuth2 security for your open APIs. If you are using AWS gateway what you have to do is to write a simple lamda function which can restrict API consumption with out an access token taken from the WSO2 Identity Server.

In order to achieve this requirement you have to follow these:

• All your API consuming third party applications should be registered as OAuth service providers in WSO2 Identity Server.
• Only the trusted users can only get an access token from WSO2 Identity Server using client_id and secrets of previously registered service providers.
• Write a lamda function in AWS to validate access token which is send when calling AWS APIs by calling the WSO2 Identity Server introspect endpoint ( https://localhost:9443/oauth2/introspect or http://loclahost:9763/oauth2/introspect)

A sample lamda code for AWS

console.log('starting lambda');
var http = require('http');
exports.handler = function(event, context) {
     var tkn = event.authorizationToken;
     var  postData = 'token=' + tkn;
     console.log(postData);
     var  options = {
          hostname: 'x.x.x.x',
          port: 9763,
          path: '/oauth2/introspect',
          method: 'POST',
          headers: {
             'Content-Type': 'application/x-www-form-urlencoded',
             'Authorization': 'Basic <base64 Encorded username password of a admin user who has application management permisions'
          }
     };

var  req = http.request(options, (res) => {
       console.log(`STATUS: ${res.statusCode}`);
       console.log(`HEADERS: ${JSON.stringify(res.headers)}`);
       res.setEncoding('utf8');
       res.on('data',  (chunk) => {
            console.log(`BODY: ${JSON.stringify(chunk)}`);
            validationReq(chunk,event,context);
       });
  
       res.on('end',  () => {
            console.log('No more data in response.');
       });
});
       req.on('error',  (e) => {
          console.log(`problem with request: ${e.message}`);
       });
       // write data to request body
       req.write(postData);
       req.end();
}

var validationReq = function (obj,evt,ctx) {
    console.log(obj);
    obj = JSON.parse(obj);
    var bool = obj['active'];
   if(bool)  {
        console.log('Token verified');
        ctx.succeed(generatePolicy('user', 'Allow', evt.methodArn));
   } else {
        ctx.fail("Unauthorized");
   }
}
var generatePolicy = function(principalId, effect, resource) {
        var authResponse = {};
        console.log(resource);
        authResponse.principalId = principalId;
        if (effect && resource) {
             var policyDocument = {};
             policyDocument.Version = '2012-10-17'; // default version
             policyDocument.Statement = [];
             var statementOne = {};
             statementOne.Action = 'execute-api:Invoke'; // default action
             statementOne.Effect = effect;
             statementOne.Resource = resource;
             policyDocument.Statement[0]  = statementOne;
             authResponse.policyDocument = policyDocument;
         }
       return authResponse;
}

By publishing this lamda funtion in your AWS gateway, you are able to call API using an access token which is generated by WSO2 Identity Server, which means with this now your AWS APIs are secured with OAuth support in WSO2 Identity Server.

Enjoy OAuth with AWS using Identity Server!!!