How to access secured backend API using API Gateway?

0
votes

I have created a backend spring-boot REST api which is deployed on the EC2 that is authenticated with JWT. So, I first curl to get the Bearer token:

curl -iH "Content-Type: application/json" -X POST -d '{"username":"myusername", "password":"mypassword"}' http://123.45.6782.910:8080/login

Then make the REST call to access my REST resource

curl -H "Authorization: eyJhbGzd9.NYHXPv-vXUIoNr7qtA" http://123.45.6782.910:8080/categories/pets/

This all works fine.

Now, I want to use API Gateway to access the /categories/pets/ Resource.

I have setup GET - Method execution's Method request, Integration Request sections. But, when I try to Test the setup, I get 403.

{
  "timestamp": 1498392625274,
  "status": 403,
  "error": "Forbidden",
  "message": "Access Denied",
  "path": "/categories/pets/"
}

I think this is expected because I am directly trying to access the backend api without the bearer token. I want to know how can I do the POST on http://123.45.6782.910:8080/login to get the Bearer token and then make the call to /categories/pets/ ?

UPDATE: As per @KaHouIeong suggestion, I created a POST endpoint /login on the API gateway to get the bearer token, When I test is in the test console in the API Gateway, I am getting the Authorization →Bearer eyJhbGzd9 but when I try it from postman, I am getting the status 200 OK but not the Authorization →Bearer eyJhbGzd9 token.

content-length →0
content-type →application/json
status →200
via →1.1 swfbfbbaf3fb6c32bdccb152354539e473d.cloudfront.net (CloudFront)
x-amz-cf-id →K9V3XUxHOretrza0kCM5dk_G5eZgePrtrBziyVTxptrePD7wjsWqk-l0kCQQ==
x-amzn-requestid →5ac81024-5c27-11e7-af9a-9f3c8494c542
x-amzn-trace-id →Root=1-5953e77f-ed76d15b5bfre9374c9
1
amazon-web-servicesjwtaws-api-gateway
If you use Authorization bearer token, the header seems not correct, try this: -H "Authorization: Bearer eyJhbGzd9.NYHXPv-vXUIoNr7qtA" - chenrui
No, that's not an issue here. You don't necessarily need bearer keyword. It's working for me without it. - tintin
Do you have any server log to take a look? - chenrui
Your client should send a request to /login and get the bearer token from the response, then re-use the token to access your /categories/pets/ API. The workflow should be same as you hit your EC2 backend directly. For your API setup on API Gateway, you need to setup a /login resource and point to the http://123.45.6782.910:8080/login - Ka Hou Ieong
You need to setup the integration response header mapping to map the Authorization back to the method response, then API Gateway will pass through the header to the client. - Ka Hou Ieong

1 Answers

3
votes

Your client should send a request to /login and get the bearer token from the response, then re-use the token to access your /categories/pets/ API. The workflow should be same as you hit your EC2 backend directly.

For your API setup on API Gateway, you need to setup a /login resource and point to the http://123.45.6782.910:8080/login

Then, you need to setup the integration response header mapping to map the Authorization header back to the method response, then API Gateway will pass through the header to the client.

integration.response.header.Authorization -> method.response.header.Authorization