Configuration of the Amazon API Gateway Authorizer is performed on both the Platform and on the AWS Management Console.
Configuration on the Platform Side
Configuring the Platform:
- Obtain the required information to provide to the AWS Management Console
- Define the JWT Attributes for Identity Attributes Mapping
- Set the Authorization JWT Identifier
- Download the PlainID Authorization Lambda zip archive
Configuring on AWS
Configuration of the AWS Management Console to interface with the Platform includes:
- Creating the PlainID Authorization Lambda
- Uploading the PlainID Authorization Lambda zip archive
- Configuring Environmental Variables
- Deploying the Lambda
Setting up the Amazon API Gateway Authorizer
The following information is needed from the Platform to configure the Amazon API Gateway Authorizer:
| Parameter | Location | Instructions |
|---|---|---|
| JsonPath | Identity Workspace Settings > Identity Attributes | Select the relevant Attribute and get the JsonPath Value |
| Mapping Value | Environment Settings > Identity Provider (IDP) | Select an IDP and get the Mapping Value.l |
| Client ID | Environment Settings > Authorization Keys | Get Client ID |
| Secret Key | Environment Settings > Authorization Keys | Add a new Secret Key |
| Authorizer ID | Environment Settings > Authorizers | Select an existing authorizer or create a new authorizer - and use the Authorizer ID (Available only for saved/existing Authorizers). |
| URL of PDP (Runtime) | Assuming the Tenant/Account URL is: https://acme-financing.us1.plainid.io, the PDP_URL should be set to: | |
| https://acme-financing.us1.plainid.io/runtime |
Defining the JWT Attributes for Identity Attributes Mapping
The next step is to define the JWT Attributes that you wish to map as Identity Attributes in the Platform. The Identity Attributes can be retrieved from the JWT.
To define the JWT Attributes for Identity Attributes Mapping:
- Open the Identity Workspace Settings screen.
- Select one of the Identity Attributes.
- In the JSONPath type the JWT attribute/key name from which the value of the Attribute will be extracted (as seen below).
Setting up the Authorization JWT Identifier
To set the Authorization JWT Identifier:
- On the Environment Settings screen, click** Identity Provider (IDP)**. The Identity Provide (IDP) screen opens.
- Click on the relevant Identity Provider. The Identity Provider Details screen opens for the selected IDP.
- Click Edit. Fields in the screen that can be edited, become editable.
- In the Settings for Authorizers section, enter the Mapping Value for the Authorizer. This is a string/text of your choice that must then be included in the JWT payload as the Authorization Attribute. For example: "iss": "https://issuer.acme-bank.com"
Details
| Attribute | Information |
|---|---|
| sub (1) | Used for passing the ID of the user |
| iss (1) | The JWT issuer URL or Name/Map |
| user_organization (2) | Used to identify the user/identity “User Organization” attribute |
| user_title (2) | Used to identify the user/identity “User Title” attribute |
| user_business_unit (2) | Used to identify the user/identity “User Business Unit” attribute |
| user_location (2) | Used to identify the user/identity “User Location” attribute |
Reference
- This is a required Attribute.
- This Attribute is dependent on the Identity and Policy definitions - will be different per implementation.
Downloading the PlainID Authorization Lambda Zip Archive
When an API Authorizer is created in the Platform, a deployment package is created as well. You can download this zip archive to help you configure the Amazon API Gateway Authorizer.
Important
If you have not yet created an Amazon API Gateway API Authorizer, see Creating an API Authorizer (in Managing API Authorizers). You need to create an API Authorizer for Amazon API Gateway before you can download the Authorizer Deployment package.
To download the Authorization Lambda zip archive:
- From the Environment Settings screen, click API Authorizers. The API Authorizers screen opens.
- Click on the Amazon API Data Authorizer (or create a new one).
- In the General Details section, click Download.
Configuring the AWS Management Console involves the following steps:
- Creating the PlainID Authorization Lambda
- Uploading the PlainID Authorization Lambda zip archive
- Configuring Environmental Variables
- Deploying the Lambda
Creating the PlainID Authorization Lambda
- Open the AWS Lambda Service screen.
- Click Create function. The Create function screen is displayed.
- In the Function name field, enter the name of the function (for example: acme-financing-authz).
- Confirm that the remaining settings are configured as follows:
- Runtime is set to Node.js
- Architecture is set to x86_64
- Click Create Function.
Uploading the PlainID Authorization Lambda Zip Archive
To upload the PlainID Authorization Lambda zip archive:
- On the screen of the function you created, from the Upload from field, select .zip file.
- Select the Lambda zip archive that you downloaded from the Platform (see Configuring the Authorization Platform for the Amazon API Gateway).
Configuring Environmental Variables
To configure relevant Environmental Variables:
-
On the Configuration tab, select Environmental variables. The Environment variables page opens.
-
Click Edit and add the following environment variables:
| Variable Key | Sample Value | Notes/Instructions |
|---|---|---|
| CLIENT_ID | DTA43IJZSPYKAVZYYV5Q | Can be obtained from the PlainID Policy Manager SaaS Tenant/Account: Navigate to Environment Settings > Authorization Keys and get Client ID |
| CLIENT_SECRET | XXXX | Can be generated from the Platform Tenant/Account: Navigate to Environment Settings > Authorization Keys - and add a new Secret Key |
| AUTH_METHOD | - token -secret |
The token is obtained through the consumer's Application. If a token is used in the AUTH_METHOD, a valid JWT will be sent in the Authorization header instead of the CLIENT_SECRET. If the value is set to secret, then the CLIENT_SECRET is sent to the x-client-secret Header |
| AUTHORIZER_ID | APA1D318NDQC1DS | Navigate to Environment Settings > Authorizers - select an existing authorizer or create a new authorizer - and use the Authorizer ID (Available only for saved/existing authorizers). |
| PDP_URL | https://acme-financing.us1.plainid.io/runtime | The URL of the Policy Decision Point (Runtime): Assuming the tenant/account URL is: https://acme-financing.us1.plainid.io, The PDP_URL should be set to: https://acme-financing.us1.plainid.io/runtime |
| RUNTIME_FINE_TUNE | {"includeIdentity": "true"} | This parameter can be leveraged to fine-tune the PDP calculation with additional supported request properties. Refer to our Authorization APIs documentation for more details on potential properties. This parameter should be passed as a JSON string with the relevant PDP properties and values. Example: {"entityAttributes": {"region": ["US"]},"combinedMultiValues": true} |
- Click Save.
Deploy the Lambda
After saving the environment variables to the Lambda file, click Deploy to deploy the changes you made.
After you deploy the API Gateway Authorizer, you will need to amend the code due to a known limitation. For more information, see Known Limitations.
Create a New API Gateway Authorizer
-
Go to the API Gateway Service.
-
Select Authorizers from the menu. The Authorizers screen opens.
-
Click Create New Authorizer, and fill in the relevant information:
| Attribute/Setting | Value |
|---|---|
| Name | The Authorizer name |
| Type | Set to Lambda |
| Lambda Function | Set to Lambda |
| Lambda Function | Select the new Lambda |
| Lambda Invoke Role | [leave empty] |
| Lambda Event Payload | Select Request |
| Identity Sources | Select Header and set to Authorization |
| Authorization Caching | For testing - uncheck the box |
Example:
- Click Create, then Grant & Create
Assign the Authorizer to an API Method
- Click to the Method Request link:
- Click on the Edit (pencil) of the Authorization method:
- Choose the custom Authorizer we created earlier (If you don't see it, wait for a few seconds - up to about a minute):
- Click Update (Check Icon):
- Select created method and click Actions > Deploy API:
- You will see a popup which offers you to select an existing stage or create a new stage.
- Select either existing stage or create a new stage, and click Deploy.
Known Limitations
- Part of URL Suffix in PDP needs to be added manually
- When configuring the Amazon API Gateway, part of the URL suffix of the PDP is missing and must be added manually.
To amend the URL suffix:
- Open the Lamda function.
- Click on the Code tab. This opens the Code screen.
- Double click on the config.json entry in the files list in the left panel.
- Locate the line with the following code: {"version": "1.2.0", "pdpEndpointV5": "/5.0/decisions"}
- Add /permit-deny such that the code now appears as follows: {"version": "1.2.0", "pdpEndpointV5": "/5.0/decisions/permit-deny"}
- After you amend the line, save your changes and then click Deploy.
- Request Body Cannot be Used
- The Amazon API Gateway does not expose the API Request Body, so the Request Body cannot be used as part of the Policy calculation (cannot be associated/mapped to an Asset Type Attribute or Action)
- The Amazon API Gateway does not expose the API Request Body, so the Request Body cannot be used as part of the Policy calculation (cannot be associated/mapped to an Asset Type Attribute or Action)