Allow clients to generate tokens for AWS gateway

Hi, I’m looking to use auth0 as an authorizer for my AWS gateway.
I would like my clients to be able to login to auth0 through an interface, if this is successful then it will generate and display to them a token.
My clients would then be able to use this token as a header when they call my aws gateway, the gateway will then authenticate this token and provide access to my AWS API.

Is this possible with auth0? I can’t see an obvious way to do this in the documentation.

@mstrudwick

If I understand your request, this should very doable using this guide:

https://auth0.com/blog/securing-aws-http-apis-with-jwt-authorizers/#Add-a-JWT-Authorizer-to-Your-API

Have you looked at this?

Unfortunately this doesn’t quite fit my use case - auth on the gateway needs to be done through a lambda function.

I also don’t understand how clients will generate their own tokens. Where does the individual client login fit into this?

There are many JWT libraries that will allow you to validate a token. If you were to use node.js in your Lambda, you could use this library that we manage:

What do you mean by clients ? We typically say clients when we are talking about applications. Are you talking about your customers or applications?

By clients I mean customers. I have an API service on AWS, which multiple different customers need access. However, I want to add authentication to this API with tokens. Therefore my clients need to be able to generate a token for my API which they can then use when they call my API.

My ideal situation is:

  1. my customer logs in once (auth0?)
  2. a token is generated for them, and displayed
  3. customer then calls my api with this token
  4. my api checks to see if token is valid

@mstrudwick,

Thanks for providing more context.

Are you aware that tokens expire? You customer will have to replace the token after expiration. They aren’t going to act the same way as an API key that is valid until it is revoked.

Instead, you may want to consider issuing a set of client credentials to your customer, this is like a username/password for an application, and allows the application to request a new token whenever it is going to call your API. How many customers do you expect to be using your API?

Yes I’m aware that they expire. I was hoping to use refresh tokens to manage this but sounds like that’s not possible.

Client credentials would definitely be another valid option, how do I create client credentials for each customer? Do I have to have a new auth0 application for each customer or can one application support multiple customers?

There’s about more than 10 but less than 100.

@mstrudwick,

You would create a new M2M application for each customer. That application is linked to the client ID/client secret they use to request tokens.

You may run into some entity limits depending on which plan you are on. The info is here: Entity Limit Policy

Right that makes sense. Although it would be a bit of a pain having to manage lots of M2M apps, and we’d run into those limits pretty fast.

Thanks for your help anyway. I’m new to auth so I’m sure theres an easier way I’m missing :smiley:

No problem! Let me know if you have any questions.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.