Hello there!
My implementation for lambdas is almost ready. Now the challenge is to protect them using a token.
My identity provider is Apple, and I am using Sign in with apple functionality to generate ID token. This is done not through Cognito, but my own implementation using Apple APIs.
The way I see this works is:
- API gateway calls lambda authorizer
- Lambda authorizer verifies Authorization header value (which is token I supply from client)
- API gateway caches authorizer response with cache key = token, cache value = Policy object I generated in the authorizer
Please correct if my understanding isn’t correct.
Here is the Policy document I generate based on token, just in case if there is any optimization needed in it:
{
"principalId": "<user ID extracted from token>",
"policyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Allow",
"Resource": [
"arn:aws:execute-api:<aws-region-code>:<my_aws_account_id>:<my_rest_api_endpoint_id>/dev/GET/<resource>"
]
}
]
}
}
Now the problem I see is, such verification involves latency. It involves calling to Apple servers, and verifying JWT. This response, as far as I know, is cached for max 3600 seconds by API gateway.
The Apple token I get has 1 day validity. This means that once verified, I don’t have to verify it for 24 hours for a user. If I get caching up to that much duration, it is good and efficient usage of the lambda authorizer.
If cache keeps expiring every 1 hour, it means every lambda call will have an overhead of authorizer.
Is there another obvious solution to this problem that I don’t see it?