How to set up an OAuth2 Authentication Provider with AWS API Gateway?

Question

AWS has an API Gateway, that makes it pretty easy to set up, manage and monitor your API. However, the security authorization settings that you can set for resource methods is limited to AWS-IAM (which to my understanding is an internal vpn role?).

It seems that my research on this subject has been pointing me to setting up an AWS Cognito pool, but when I go to configure one in my aws console, the options for providers are: Amazon, Facebook, Google+, Twitter, OpenID, and Custom. I guess, in that case, I would use Custom? Then setup my own EC2 instance as an OAuth2 Authentication Provider Server.

Given that Oauth2 is so popular these days it surprises me that there isn't an AWS service for this; it seems they've gone the whole OpenId or SAML route instead. It also surprises me that there is a lack of guides on how to quickly setup an Oauth2 Provider in the cloud.

Any help would be appreciated.

Answer 1

Amazon's API Gateway now supports Amazon Cognito OAutho2 Scopes: https://aws.amazon.com/about-aws/whats-new/2017/12/amazon-api-gateway-supports-amazon-cognito-oauth2-scopes/

You can create Amazon Cognito user pool authorizer and then configure the same as your Authorisation method in API Gateway. To use OAuth scopes, you will need to configure a resource server and custom scopes with the Cognito user pool that you created.

On the basis of the scope received in the access token, the API Gateway will grant allow or deny permission to the caller of your API