Question #1046
A company is developing a mobile backend using AWS. The backend uses Amazon API Gateway REST API to trigger an AWS Lambda function, which processes data and stores it in an Amazon DynamoDB table. The company wants to implement user authentication, leveraging their existing third-party identity provider that issues OAuth 2.0 tokens. They need a solution that integrates seamlessly with their current setup.
Which solution meets these requirements?
Integrate the third-party identity provider with API Gateway. Configure an API Gateway Lambda authorizer to validate OAuth 2.0 tokens from the identity provider. Enforce the Lambda authorizer on all API endpoints. Update the mobile backend to obtain tokens from the identity provider and include them in the Authorization header for API Gateway requests.
Integrate the third-party identity provider with Amazon Cognito. Configure Cognito as a JWT authorizer for API Gateway to validate tokens. Enforce the Cognito authorizer on all API endpoints. Update the mobile backend to use Cognito-hosted UI for token retrieval and include tokens in API requests.
Integrate the third-party identity provider with AWS IAM. Configure IAM roles with permissions to invoke the API Gateway REST API. Update the mobile backend to assume the IAM role using AWS Security Token Service (STS) and sign requests with SigV4 signatures.
Integrate the third-party identity provider with AWS IAM Identity Center. Configure API Gateway to use IAM Identity Center for automatic token validation. Update the mobile backend to retrieve temporary credentials from IAM Identity Center and include them in API requests.
Explanation
Answer A is correct because:
1. Lambda Authorizer Flexibility: API Gateway's Lambda authorizer allows custom validation of OAuth 2.0 tokens issued by the third-party identity provider (IdP). This aligns with the requirement to leverage the existing IdP.
2. No Dependency on AWS-Specific Services: Unlike options B, C, and D, which require Amazon Cognito, IAM roles, or IAM Identity Center, option A directly integrates the third-party IdP without introducing additional AWS services.
3. Token Handling: The mobile backend retrieves tokens from the existing IdP and includes them in the Authorization header, maintaining the current authentication workflow.
Why other options are incorrect:
- B: Requires using Amazon Cognito-hosted UI for token retrieval, which changes the authentication flow and adds unnecessary complexity.
- C: IAM roles and SigV4 signing are designed for AWS service authentication, not third-party OAuth 2.0 tokens.
- D: IAM Identity Center focuses on AWS account access and SSO, not OAuth 2.0 token validation.
Key Points: Use Lambda authorizers for custom token validation with third-party IdPs. Avoid AWS-specific services (Cognito, IAM) when the existing IdP is already OAuth 2.0-compliant.
Answer
The correct answer is: A