This page describes how to support user authentication in API Gateway.
To authenticate a user, a client application must send aJSON Web Token (JWT) in the authorization header of theHTTP request to your backend API. API Gatewayvalidates the token on behalf of your API, so you don't have to add any code inyour API to process the authentication. However, you do need to configure theAPI config for your gateway to support your chosen authentication methods.
API Gateway validates a JWT in a performant way by using the JWTissuer's JSON Web Key Set (JWKS). The location of the JWKS is specified in the x-google-jwks_uri
field of the gateway's API config. API Gateway caches the JWKS for fiveminutes and refreshes it every five minutes.
Before you begin
- Add authentication code to your client application, following theauthentication provider's documentation.
- When your client application sends an HTTP request, the authorization header inthe request must contain the following JWT claims:
iss
(issuer)sub
(subject)aud
(audience)iat
(issued at)exp
(expiration time)
Configuring API Gateway to support client authentication
You must have a securityrequirement object and a securitydefinitions object in your API config for API Gateway tovalidate the claims in the signed JWT.
To support JWT authentication:
Add the following to the security definition in your API config, which follows the OpenAPI 2.0 security scheme:
securityDefinitions: your_custom_auth_id: authorizationUrl: "" flow: "implicit" type: "oauth2" # The value below should be unique x-google-issuer: "issuer of the token" x-google-jwks_uri: "url to the public key" # Optional. Replace YOUR-CLIENT-ID with your client ID x-google-audiences: "YOUR-CLIENT-ID"
Add a security section at either the API level to apply to the entireAPI, or at the method level to apply to a specific method.
security: - your_custom_auth_id: []
You can define multiple security definitions in the API config, but eachdefinition must have a different issuer. If you use security sections at boththe API level and at the method level, the method-level settings override theAPI-level settings.
The x-google-audiences
field is not required. API Gatewayaccepts all JWTs with the backend service name in the form ofhttps://SERVICE_NAME
in the aud
claim.
To allow additional client IDs to access the backend service, you can specify theallowed client IDs in the x-google-audiences
field by usingcomma-separated values. API Gateway then accepts the JWTs with any of thespecified client IDs in the aud
claim.
The x-google-jwks_uri
field is required.API Gateway supports two asymmetric public key formats definedby the x-google-jwks_uri
OpenAPI extension:
- JWK set format.For example:
x-google-jwks_uri: "https://YOUR_ACCOUNT_NAME.YOUR_AUTH_PROVIDER_URL/.well-known/jwks.json"
- X509. For example:
x-google-jwks_uri: "https://www.googleapis.com/service_accounts/v1/metadata/x509/securetoken@system.gserviceaccount.com"
If you are using a symmetric key format, set x-google-jwks_uri
tothe URI of a file that contains the base64url-encoded key string.
Making an authenticated call to an API Gateway API
When you send a request using an authentication token, werecommend that you put the token in the Authorization:Bearer
header. Forexample:
curl --request POST \ --header "Authorization: Bearer ${TOKEN}" \ "${GATEWAY_URL}/echo"
Here, GATEWAY_URL
and TOKEN
are environment variables containing yourdeployed gateway URL and authentication token, respectively. SeeMaking an authenticated request to an API Gateway API for sample code that sends a request using the Authorization:Bearer
header.
If you cannot use the header when sending the request, you can put theauthentication token in a query parameter called access_token
. For example:
curl "${GATEWAY_URL}/echo?access_token=${TOKEN}"
Receiving authenticated results in your API
API Gateway usually forwards all headers it receives. However, it overrides theoriginal Authorization
header when the backend address is specified byx-google-backend
in the API config.
API Gateway will send the authentication result in the X-Apigateway-Api-Userinfo
to the backend API. It is recommended to use this header instead of the originalAuthorization
header. This header is base64url
encoded and containsthe JWT payload.
What's next
FAQs
Any API that requires authentication can easily switch over to JWT's authorization. With JWT authorization, you get a user-based authentication. Once the user is authenticated, the user gets a secure token that they can use on all systems. The management of the user (and therefore the token) is centralized.
How to use JWT with API Gateway? ›
To create a JWT authorizer using the console
Sign in to the API Gateway console at https://console.aws.amazon.com/apigateway . Choose an HTTP API. In the main navigation pane, choose Authorization. Choose a method, and then select your authorizer from the dropdown menu, and choose Attach authorizer.
How do you authenticate a user using JWT? ›
To authenticate a user, a client application must send a JSON Web Token (JWT) in the authorization header of the HTTP request to your backend API. API Gateway validates the token on behalf of your API, so you don't have to add any code in your API to process the authentication.
How do I authenticate web API using JWT token? ›
To secure a minimal API using JWT authentication, we will follow these steps:
- Create a minimal API project in Visual Studio 2022.
- Create an API endpoint in the Program. ...
- Add the Microsoft. ...
- Implement JWT authentication in the Program. ...
- Create a user model class named User to store the login credentials of the user.
What are the disadvantages of JWT authentication? ›
Once a JWT is issued, there is no straightforward way to invalidate it before its expiration time. This can pose a problem if a user logs out or if their privileges need to be revoked due to a security concern. To address this weakness, developers must implement additional mechanisms for token revocation.
When not to use JWT? ›
We already established that storing sensitive data inside localStorage is a bad idea. To reiterate, whatever you do, don't store a JWT in localStorage (or sessionStorage). If any of the third-party scripts you include in your page are compromised, it can access all your users' tokens.
Does Google use JWT? ›
When using the Google Wallet API, you encode the details of the Passes Object you want to use to create a pass instance in JWT (pronounced "jot") format, then send that JWT in a request to the Google Wallet API. JWTs are kept secure by signing them with a shared secret before they are sent to the Google Wallet API.
How does JWT authentication work in REST API? ›
When using a JWT, the client first authenticates with the server. The server then responds with a JWT. The client then includes the JWT in subsequent requests to the server. The server can then use the JWT to verify the identity of the client.
Is JWT authentication or authorization? ›
JSON Web Token (JWT) is a commonly used user authentication and authorization standard, used to exchange data in a secure manner. Made up of three components, a header, a payload, and a signature, it's becoming more and more commonly used.
What is required for JWT authentication? ›
User sign-in using username and password. The authentication server verifies the credentials and issues a JWT signed using a private key. Moving forward, the client will use the JWT to access protected resources by passing the JWT in the HTTP Authorization header.
Here are the key steps for performing JWT validation:
- Retrieve and parse the JSON Web Key Set (JWKs)
- Decode the token.
- Verify the claims.
- Verify the signature.
Why use JWT? ›
A JWT contains all the required information about an entity to avoid querying a database more than once. The recipient of a JWT also does not need to call a server to validate the token.
How do I authenticate a user using token? ›
Token Authentication in 4 Easy Steps
- Request: The person asks for access to a server or protected resource. ...
- Verification: The server determines that the person should have access. ...
- Tokens: The server communicates with the authentication device, like a ring, key, phone, or similar device.
What is the difference between OAuth and JWT? ›
Here are some differences between OAuth and JWT: Main function: OAuth is used for authorization, while JWT is used for authentication and exchanging information. Security: OAuth is a secure way to manage authorization flows, while JWT is a lightweight and self-contained token.
How to authenticate an API? ›
A common implementation is to access APIs with the OAuth2 client credentials grant type. In this scenario, the API client uses its client ID and client secret to request an access token. The access token is then used on subsequent calls against the protected endpoints to authenticate the API client.
What is the best authentication for API? ›
- #1 API Key (identification only) One of the easiest ways to identify an API client is by using an API key. ...
- #2 OAuth2 token. OAuth2 is a comprehensive industry standard that is widely used across API providers. ...
- #3 External token or assertion. ...
- #4 Token Exchange. ...
- #5 Identity facade for 3 legged OAuth.
Can we use JWT in REST API? ›
The incoming HTTP request for REST API call must contain the request header “Authorization” with scheme “Bearer” followed by JWT. The signature of the token and expiration date is verified by the system.
Should I use JWT for authorization? ›
My conclusion: Use traditional session-based authentication. It's more secure and flexible than JWT. JWT is a good fit for cases/situations where you want to issue a one-time token to be used for a specific purpose.
Is JWT obsolete? ›
The JWT app type will be completely deprecated as of June 2023. New and current users have 12 months to migrate their JWT based solutions to the Server-to-Server OAuth app type.