Best Practices: Custom Authorizer vs. Cognito Authenticated Role Selection

Hi all -

I was hoping for some advice on how best to set up authorization for my serverless application. I’m fairly new to AWS, but I’m super new to serverless. As a quick sidenote, I was able to port months of work over to serverless in literally a single day, which was amazing.

I’m a little lost on what is the right practice for authorization in my application. It’s an internal business tool which may some day be sold externally. For right now at least, we are using Google OAuth to authenticate our users, specific to our domain (we have business gsuite).

Up until now, authentication has been sufficient for full permissions to hit our REST APIs. But, as these things always eventually happen, we now need to set up role-based authorization for various activity within the application.

Without using serverless, I’ve successfully set up a Cognito identity pool that relies on our google oauth and done a full round trip from Google -> App -> Cognito -> App with authenticated role selection based on the user’s email and set up the appropriate IAM role with trust on the identity pool.

I would of course like to automate all of this, but before I dig into that I’m not even sure I’m taking the best approach. I’m aware of custom lambda authorizers and am prepared to switch over to that instead of this authenticated role selection stuff. It also seems like I could even use authorizers without even an identity pool since I have the google oauth, but I am hesitant to do that as in the long run as I said we may open this application up to other companies that will not be guaranteed to have GSuite.

Right now we are not storing any info about our users anywhere, because the information encoded in GSuite has been sufficient, but that is about to change as we add more features. We’re intending to use dynamo to track information about our users and put that behind restful endpoints as well.

So, obviously, there are a million different ways to do this. I’m looking for two things basically - advice on best practices as this sort of thing scales, and serverless plugins for automating whatever they would recommend. Are there boilerplate serverless authorizers that use role based authorization? Should I be using them?

I see a lot of plugins and examples for auth & auth, but I don’t see any that really line up cleanly with my use case. I suspect it’s because I’m blind.

Thanks and I appreciate the time anyone takes to read and respond to this. Really digging serverless!