{"id":18678369,"url":"https://github.com/vitalibo/api-gateway-authorization-service","last_synced_at":"2025-04-12T02:41:08.765Z","repository":{"id":101159074,"uuid":"89918945","full_name":"vitalibo/api-gateway-authorization-service","owner":"vitalibo","description":null,"archived":false,"fork":false,"pushed_at":"2019-10-17T06:57:55.000Z","size":645,"stargazers_count":10,"open_issues_count":1,"forks_count":4,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-03-25T22:21:18.685Z","etag":null,"topics":["api-gateway","aws","cloudformation","cognito","lambda","security"],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vitalibo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-05-01T11:36:58.000Z","updated_at":"2025-02-10T08:14:42.000Z","dependencies_parsed_at":"2023-09-18T05:31:09.515Z","dependency_job_id":null,"html_url":"https://github.com/vitalibo/api-gateway-authorization-service","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vitalibo%2Fapi-gateway-authorization-service","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vitalibo%2Fapi-gateway-authorization-service/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vitalibo%2Fapi-gateway-authorization-service/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vitalibo%2Fapi-gateway-authorization-service/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vitalibo","download_url":"https://codeload.github.com/vitalibo/api-gateway-authorization-service/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248507468,"owners_count":21115607,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["api-gateway","aws","cloudformation","cognito","lambda","security"],"created_at":"2024-11-07T09:37:24.369Z","updated_at":"2025-04-12T02:41:08.760Z","avatar_url":"https://github.com/vitalibo.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AWS Api Gateway Authorization service\n\n[![Build Status](https://travis-ci.org/vitalibo/api-gateway-authorization-service.svg?branch=master)](https://travis-ci.org/vitalibo/api-gateway-authorization-service)\n\nThe AWS API Gateway Authorization Service project provide simple OAuth 2.0 solution for AWS infrastructure.\nIt allow you don't care about manage and validate access to own resources, but enable focus on business values of resources.\nYou actually only need describe IAM Policy for your resources and configure API Gateway custom authorizer, Amazon Cognito user pool care about maintain a user and group directory. \n\n### Workflow\n\nThe Authorization Service implemented **Client Credentials** authorization flow (see also [RFC6749: \"The OAuth 2.0 Authorization Framework\" section 4.4](https://tools.ietf.org/html/rfc6749#section-4.4)).\nSequence UML diagram show this workflow with main points, please see below:\n\n![Sequence Diagram](http://g.gravizo.com/source/svg/sequence_diagram.puml?https://raw.githubusercontent.com/vitalibo/api-gateway-authorization-service/master/README.md)\n\n\u003cdetails\u003e \n\n\u003csummary\u003eUML code\u003c/summary\u003e\n\n```\nsequence_diagram.puml\n@startuml\nskinparam monochrome false\n\n\"Client\" -\u003e \"Authorization Server\": Authentication request\nactivate \"Authorization Server\"\nnote left\n+ Request (application/json)\n  {\n    \"grant_type\": \"client_credentials\",\n    \"client_id\": \"\u003cusername\u003e\",\n    \"client_secret\": \"\u003cpassword\u003e\"\n  }\nend note\n\n\"Authorization Server\" -\u003e \"Authorization Server\": Validate client credential\\nand signed JWT\n\n\"Client\" \u003c-- \"Authorization Server\": Authentication response\ndeactivate \"Authorization Server\"\nnote right\n+ Response 200 (application/json)\n  {\n    \"access_token\": \"\u003cjwt\u003e\",\n    \"expires_in\": \u003ctimestamp\u003e,\n    \"token_type\": \"Bearer\"\n  }\nend note\n\n...\n\n\"Client\" -\u003e \"API Gateway\": Resource request\nactivate \"API Gateway\"\nnote left\n+ Headers\n  Authorization: Bearer \u003cjwt\u003e\nend note\n\"API Gateway\" -\u003e \"JWT Authorizer\": Authorizer request\n\nactivate \"JWT Authorizer\"\nnote left\nContext + Token\nend note\n\n\"JWT Authorizer\" -\u003e \"JWT Authorizer\": Verify JWT\\nand make policy\n\n\"API Gateway\" \u003c-- \"JWT Authorizer\": Authorizer response\nnote left\nPrincipal + Scope + Policy\nend note\ndeactivate \"JWT Authorizer\"\n\nalt failed request\n\"API Gateway\" \u003c-- \"API Gateway\": if not authorized\\nor don't have permission\\non resource\n\"Client\" \u003c-- \"API Gateway\": Unauthorized or Forbidden response\nnote right\n+ Response 401 or 403 (application/json)\nend note\n\nelse successful request\n\"API Gateway\" -\u003e \"Resource\": Resource request\n\"Resource\" -\u003e \"Resource\": Process\\nrequest\n\n\"Client\" \u003c-- \"Resource\": Resource response\nnote left\n+ Response 200 (\u003cMedia Type\u003e)\nend note\ndeactivate \"API Gateway\"\nend\n\n@endum\nsequence_diagram.puml\n```\n\n\u003c/details\u003e\n\n### Build\n\nEnsure that you have installed Git, Java 8, Maven, AWS Cli and Docker.  \nPlease clone this repository in first time and build the source codes use following command : \n\n```\nmvn clean verify\n```\n\nin scope verify phase will be run unit tests and package jar files.\n\n### Deploy\n\nThe deployment of Authorization Services is fully based on AWS infrastructure and CloudFormation templates.\nIn folder `infrastructure` contains three stack templates:\n\n- `policy.json` - This template Create/Update AWS AIM subject. Namely deployment User, lambda execution Roles, authorizer Role and execute API Gateway Policy for default Cognito Groups.\n- `stack.json` - This template Create/Update infrastructure of Authorization Service. That is Cognito User Pool, AWS Lambdas (Server, JWT Authorizer and Basic Authenticator) and API Gateway rest API for Authorization Server.\n- `sample.json` - This template Create/Update mock API Gateway for integration testing and as sample of using custom authorizers.\n\nIn order to deploy you must already have deployment S3 bucket and choose user name/prefix of all resources. This IAM User will be have permission restriction on resources with this prefix. I recommended to use user name `authorization-service` or `authorization-service-dev` for develop stage.\n\n- You must get started with running bash script to create/update policy stack, command see below. All changes set must be reviewed and approved by super admin in [AWS CloudFormation Console](https://console.aws.amazon.com/cloudformation).\n\n```\n./update-policy.sh \u003cuser-name\u003e \u003cdeployment-bucket\u003e\n```\n\nAfter successfully create stack in `Outputs` section you will see `AccessKey` and `SecretKey`. Please use this credentials for the following deployment steps.\n\n- Then, need create/update infrastructure running next script:\n\n```\n./update-stack.sh \u003cuser-name\u003e \u003cdeployment-bucket\u003e\n```\n\nThis script copy compiled lambdas in deployment S3 bucket and create/update necessary resources. \nThese two steps are enough for normal work Authorization Service in production environment, but if you use develop environment for integration tests or you want see sample of using custom authorizers, please do third step.\n\n- This step create Mock API Gateway and does not have business value. This stack is for integration tests or as demonstration sample, how to use Authorization Service.\n\n```\n./update-sample.sh \u003cuser-name\u003e\n```\n\n- To run integration test, please move to folder `integration`, where you need run follow script:\n\n```\n./tests.sh \u003cuser-name\u003e\n```\n\nInside this script up Docker container with already installed Newman, that run and test a Postman Collections directly. That you can easily integrate it into your continuous integration servers and build systems.\n\n### Links\n\n- [OAuth 2. Client Credentials authorization flow](http://oauthbible.com/#oauth-2-two-legged)\n- [AWS Management Console](https://console.aws.amazon.com/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvitalibo%2Fapi-gateway-authorization-service","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvitalibo%2Fapi-gateway-authorization-service","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvitalibo%2Fapi-gateway-authorization-service/lists"}