Okta + AWS API Gateway (lambda authorizer)

In this example, AWS API Gateway is proxying a 'solar system' API. When a resource is requested, AWS API Gateway passes the access token (jwt) to a Lambda function. The Lambda function verifies the jwt against the key from the Okta authorization server's well-known endpoint, constructs an AWS access policy dynamically, and sends the results back to the Gateway. If the policy contains the appropriate grants for the endpoint being requested, the Gateway passes the request on to the target API endpoint.

Just authenticate as one of the users on the right to get started.

Access token, decoded claims (via /introspect endpoint)
Access token is available in console


In this scenario, one user (Clark Kent) is subscribed to the "silver" level of access, which means he will be able to access the /planets endpoint with his access token by virtue of the "http://myapp.com/scp/silver" scope. Okta will mint the access token and include the "http://myapp.com/scp/silver" scope because Clark belongs to the "silverSubscribers" group in Okta.

Similarly, another user (Lois Lane) is subscribed to the "gold" level of access, which means she will be able to access the /moons endpoint, and she will also be able to access the /planets endpoint by virtue of the scopes included in her access token.

Try clicking on the buttons as an unauthenticated user, and then as Clark and Lois to get a sense of how the access tokens work with the API endpoints.

SILVER Access: A list of the planets

username: clark.kent
password: mars

proxy endpoint: https://530kw7hqg8.execute-api.us-east-2.amazonaws.com/test/planets


GOLD Access: A list of (selected) moons

username: lois.lane
password: mars

proxy endpoint: https://530kw7hqg8.execute-api.us-east-2.amazonaws.com/test/moons