Support for OAuth 2.0 and OpenID Connect
- Services: API Gateway
- Release Date: December 07, 2022
You can now create API gateways that validate a JWT or non-JWT authentication token with the OAuth 2.0 introspection endpoint of an identity provider. You specify the Discovery URL of the identity provider from which to obtain the introspection endpoint. The API gateway passes the client credentials (the client id, along with the client secret retrieved from the Vault service) to the identity provider to validate the token. The token is validated without the use of public keys. To make future validation faster, you can specify that you want the API gateway to cache the response from the introspection endpoint.
In addition, you can now set up a validation failure policy to specify how you want the API gateway to handle a failed token authentication response (returned after an unsuccessful attempt to validate a missing or invalid token). Rather than simply returning an HTTP 401 code and the WWW-Authenticate header in the response, you can now specify that the API gateway is to use an OpenID Connect authorization flow to obtain a new JWT access token. Alternatively, you can customize the response to return a status code (and optional message body) of your choice.
For more information, see Notes about OAuth 2.0 and OpenID Connect in the Validating Tokens to Add Authentication and Authorization to API Deployments topic.