从 API 网关通过端点获取 OAuth 令牌
[英]Acquiring an OAuth token from API Gateway pass through endpoint
问题描述
I have an endpoint which I usually call only from within my application.
我有一个端点,我通常只从我的应用程序中调用它。 The endpoint returns data from an internal only restful api.端点从内部唯一的宁静 api 返回数据。 To call it my application must use an oauth client ID and secret to acquire a token.要调用它,我的应用程序必须使用 oauth 客户端 ID 和密钥来获取令牌。 This happens within my app without any user involvement because the user has not need to know about it.这发生在我的应用程序中,没有任何用户参与,因为用户不需要知道它。
I want to migrate my app to AWS as a serverless application which means the entire logic can be moved into the static site portion hosted on S3.我想将我的应用程序作为无服务器应用程序迁移到 AWS,这意味着整个逻辑可以移动到托管在 S3 上的 static 站点部分。
The only problem is that because I would not need a lambda or other serverside application I have no method to retrieve the oauth token securely and cannot make the internal API call.唯一的问题是,因为我不需要 lambda 或其他服务器端应用程序,所以我无法安全地检索 oauth 令牌并且无法进行内部 API 调用。
I was thinking I could make an API Gateway configuration which could acquire the token by retrieving the ID and secret from Secret Manager, make the oauth token call and then apply the token to the header of the internal passthrough request.我在想我可以进行 API 网关配置,该配置可以通过从 Secret Manager 检索 ID 和秘密来获取令牌,进行 oauth 令牌调用,然后将令牌应用于 Z099FB995346F31C749F6E40DB0F3 的内部直通请求。
Is this possible or do I definitely need a serverside app to acquire the token first?这是可能的还是我肯定需要一个服务器端应用程序来首先获取令牌?
Example journey:行程示例:
S3 via CloudFront serves VueJS site > JS calls public API Gateway endpoint > Endpoint calls Secret Manager to get oauth credentials > Endpoint calls internal corporate (private) api to get oauth token > Endpoint calls internal corporate (private) endpoint to get data, passing token in header > Endpoint returns data to client S3 via CloudFront serves VueJS site > JS calls public API Gateway endpoint > Endpoint calls Secret Manager to get oauth credentials > Endpoint calls internal corporate (private) api to get oauth token > Endpoint calls internal corporate (private) endpoint to get data, passing token在 header > 端点向客户端返回数据
1 个解决方案
解决方案1
1 2021-01-30 23:11:02
You can do it with CloudFront Lambda @ Edge .您可以使用CloudFront Lambda @ Edge来实现。
Since you're serving a static website with S3, putting it behind a CloudFront distribution will provide you the ability to serve your content securely with HTTPS (easier with AWS Certificate Manager ACM ) and add an authentication flow by setting a Lambda@Edge function in the CloudFront distribution's ViewerRequest . Since you're serving a static website with S3, putting it behind a CloudFront distribution will provide you the ability to serve your content securely with HTTPS (easier with AWS Certificate Manager ACM ) and add an authentication flow by setting a Lambda@Edge function in CloudFront 分配的 ViewerRequest 。
Here are some examples of how to implement it:以下是一些如何实现它的示例:
- AWS blog-post - Authorization@Edge using cookies: Protect your Amazon CloudFront content from being downloaded by unauthenticated users AWS 博客文章 - Authorization@Edge using cookies:保护您的 Amazon CloudFront 内容不被未经身份验证的用户下载
- AWS GitHub example -aws-samples/cloudfront-authorization-at-edge AWS GitHub 示例 -aws-samples/cloudfront-authorization-at-edge
- Another GitHub example - Widen/cloudfront-auth另一个 GitHub 示例 - Widen/cloudfront-auth
- I also wanted to modify the ViewerResponse , so I created my own implementation of the previous example - devops-internal/cloudfront-auth我还想修改ViewerResponse ,所以我创建了我自己的上一个示例的实现 - devops-internal/cloudfront-auth
I usually use this solution to protect the staging environment (which is "public") from unknown users.我通常使用此解决方案来保护暂存环境(“公共”)免受未知用户的攻击。 Please mind the costs of this solution, see Lambda@Edge Pricing .请注意此解决方案的成本,请参阅Lambda@Edge 定价。 If it's for a large organization, then this solution might be costly.如果是针对大型组织,那么此解决方案可能成本高昂。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.