Serverless token machine | API Gateway authorizer and API keys | FooBar

Показать описание

In this video I will show you how to create a token machine with serverless.

★★ README / OPEN ME ★★

☆☆ ABOUT THIS VIDEO ☆☆
In this video I will show you how to create a token machine with serverless. We are going to create 2 different endpoints, one to get a token secured with an API Key and another endpoint that is a "business logic" endpoint that is secured with a token. We are using 2 features of API Gateway to secure these endpoints: API keys and Custom Authorizer.

☆☆ FOLLOW ME ONLINE ☆☆

☆☆ ABOUT FOOBAR ☆☆
In this channel you can find mostly coding tutorials. In addition, I like also talking about architecture, software design, motivation and leadership. But sometimes I like to drop some of my hobbies into the channel.
There is a new video every Tuesday, so stay tuned :)

Рекомендации по теме

Комментарии

Why do you like to use the ireland region?

KnucklePlastic

Hola donde puedo visualizar las políticas que genero? y que podria hacer con ese texto de politica generada?

marcoantonioguerreroalfaro

Do I always need to validate the token on subsequent requests?

bosypuspus

can u tell me how to use this with claudia js??

Hallman-official

hey foobar, i am new in serverless, i follow your video and create both api register and hello. when i call register function through postman then token generated successfully in response but when i use that token and just call hello function through postman then i got { "message":null} why this is happening even i match my code with you video cod both are same please help me

Howto-kwjs

Great video Marcia. I was able to get a similar setup using Python. Will post an article on that shortly.
Couple of questions:
In that video you are using ‘secret’ as the secret. Is there a way to pass a really secure secret to the authorizer? Is Environment variable the only way to pass it?
It appears that even though you can protect a Lambda function using an authorizer for calls coming from the API gateway, other Lambdas can call it directly without any hindrance. Do you have any thoughts on how to prevent that? I had to call the token check within the HelloWorld Lambda as well to prevent unauthorized call. I would like to keep the authorization separate irrespective of whether the call is coming from API Gateway or internally. Any thoughts?

srinikarlekar

Hi Marcia,
can u pls explain this using c# code?

TheGaurang

Duda, tendras algun ejemplo de DynamoDB? algo más alla del hola mundo. particularmente me interesa una base de datos para ubicaciones gps en un mapa

knshinsoto

Instead of copying the jwt token into the authorisation header, is there a way to automatically do it?

So as soon as token is authorised, the client gets it

PoppyMusica

Hai hi foobar, I have a very humble request from my side.
We know already u did an video for apigateway+lambda in serverless and apigateway+auth0

Please, do a video on apigateway+lambda+auh0 I understand u already did but it is very difficult to understand and follow those docs.
Even if it is live it would be awesome

Please make the video in details if it length it's fine until it is under 30mins

justgaming

Hello Marcia,

First I want to congratulate you for the great job you are doing in foobar123. Thanks to your videos... Serverless is fun!!!

I would like you to advise me on how I should secure calls from an "API Gateway + Lambda" in a public portal.

For example, an AWS-S3-Static-ReactJS-SPA that offers the option to send messages to any user who accesses the web, without the need to authenticate. The message is sent through a "Gateway + Lambda API", which uses AWS-SNS to send the mail.

I can think of several things ...
1) Make use of reCAPTCHA in the client. Although something is protected, I still do not secure the "API Gateway + Lambda"
2) Make use of "Gateway API private + API Keys". If I have not misunderstood, this option is still insecure since anyone can get the used KEY and build the calls to the "Gateway API private"
3) Make use of "API Gateway Lambda Authorizers + JWT + API keys". But since there is no authenticated user, you should generate the token based on other data particular to the request, such as the source IP, right?

What do you think?

Thanks in advance and greetings

albrtmg

Serverless token machine | API Gateway authorizer and API keys | FooBar

Serverless token machine | API Gateway authorizer and API keys | FooBar

Create an AWS API Gateway connected to a Lambda Function

#20 Adding Lambda Authorizers in Your Serverless Backend

API Gateway Lambda Token Authorizer | Serverless Security

AWS re:Invent 2020: Serverless API authentication for HTTP APIs on AWS

REDUCE COSTS OF YOUR SERVERLESS APPLICATIONS: Using the new HTTP API Gateway | AWS reinvent #7

AWS re:Invent 2017: Operating Your Serverless API in Production at Scale (SRV307)

Reference Your API Gateway URL from within Your Code - Serverless URL Trick

Using API Keys and usage plans with Serverless Framework | FooBar

Serverless Office Hours: API Gateway - Migration tips for API keys

#19 Adding Lambda Authorizers - Setting up Your Frontend

Serverless Authentication with Amazon Cognito Part#2

API Gateway Lambda Request Custom Authorizer | Serverless Security

Machine to Machine authorization using Client Credentials flow in AWS Cognito and with API Gateway

AWS Sydney Summit 2018: Creating an API Gateway Custom Authorizer in .NET Core 2.0

How do I implement IAM authentication for APIs in API Gateway?

Secure API Gateway with Cognito User Pool [AWS 2022]

Use JWT Authorizers with Amazon Cognito and API Gateway

What's new for Serverless: Lambda, API Gateway - AWS Summit Paris 2018

Attack Vectors for APIs Using AWS API Gateway Lambda Authorizers - Alexandre & Leonardo

AWS API Gateway With Cognito Authorization (Much Shorter Version)

Building well architected API Gateway APIs | Serverless Office Hours

Using AWS Cognito with Serverless Framework | FooBar

API Gateway API Keys and Usage Plans | Serverless Security