Add Auth0 JWT authorizer to API Gateway (LEY-14)

samconfig.toml

@@ -7,7 +7,9 @@ s3_prefix = "gmail-translator-staging"
 confirm_changeset = true
 capabilities = "CAPABILITY_IAM"
 image_repositories = []
-parameter_overrides = "AppSecretsSsmPrefixParam=\"/gmail-translator-staging\" ResourceNamePrefixParam=\"gmail-translator-staging\" GmailConnectionSuccessRedirectUrlParam=\"https://example.com/settings/integrations/gmail/success\" GmailConnectionFailureRedirectUrlParam=\"https://example.com/settings/integrations/gmail/error\""
+parameter_overrides = "AppSecretsSsmPrefixParam=\"/gmail-translator-staging\" ResourceNamePrefixParam=\"gmail-translator-staging\" GmailConnectionSuccessRedirectUrlParam=\"https://example.com/settings/integrations/gmail/success\" GmailConnectionFailureRedirectUrlParam=\"https://example.com/settings/integrations/gmail/error\" Auth0IssuerParam=\"https://YOUR_DOMAIN.auth0.com/\" Auth0AudienceParam=\"https://gmail-translator-api\""
+# Auth0IssuerParam: found in Auth0 dashboard under Applications > APIs > your API > Settings (e.g. https://YOUR_DOMAIN.auth0.com/)
+# Auth0AudienceParam: the identifier you set when creating the API in Auth0 (e.g. https://gmail-translator-api)
 
 [default.global.parameters]
 region = "us-east-1"

template.yaml

@@ -37,8 +37,27 @@ Parameters:
     Type: String
     Description: OAuth failure redirect URL for future callback handlers
     Default: https://example.com/settings/integrations/gmail/error
+  Auth0IssuerParam:
+    Type: String
+    Description: Auth0 issuer URL (e.g. https://YOUR_DOMAIN.auth0.com/). Find this in Auth0 dashboard under Applications > APIs > your API > Settings.
+  Auth0AudienceParam:
+    Type: String
+    Description: Auth0 API audience identifier (e.g. https://gmail-translator-api). Set when creating the API in the Auth0 dashboard.
 
 Resources:
+  GmailTranslatorHttpApi:
+    Type: AWS::Serverless::HttpApi
+    Properties:
+      Auth:
+        DefaultAuthorizer: Auth0JwtAuthorizer
+        Authorizers:
+          Auth0JwtAuthorizer:
+            JwtConfiguration:
+              issuer: !Ref Auth0IssuerParam
+              audience:
+                - !Ref Auth0AudienceParam
+            IdentitySource: $request.header.Authorization
+
   TranslatedEmailsTable:
     Type: AWS::DynamoDB::Table
     Properties:
@@ -232,6 +251,7 @@ Resources:
           Properties:
             Path: /auth/google/start
             Method: GET
+            ApiId: !Ref GmailTranslatorHttpApi
     Metadata:
       BuildMethod: esbuild
       BuildProperties:
@@ -282,6 +302,7 @@ Resources:
           Properties:
             Path: /auth/google/callback
             Method: GET
+            ApiId: !Ref GmailTranslatorHttpApi
     Metadata:
       BuildMethod: esbuild
       BuildProperties:
@@ -329,6 +350,7 @@ Resources:
           Properties:
             Path: /auth/google/disconnect
             Method: POST
+            ApiId: !Ref GmailTranslatorHttpApi
     Metadata:
       BuildMethod: esbuild
       BuildProperties:
@@ -346,10 +368,10 @@ Outputs:
     Value: !GetAtt TranslatorFunction.Arn
   OAuthHttpApiBaseUrl:
     Description: Base URL for the OAuth HttpApi
-    Value: !Sub https://${ServerlessHttpApi}.execute-api.${AWS::Region}.${AWS::URLSuffix}
+    Value: !Sub https://${GmailTranslatorHttpApi}.execute-api.${AWS::Region}.${AWS::URLSuffix}
   GoogleOAuthCallbackUrl:
     Description: Deployed Google OAuth callback URL
-    Value: !Sub https://${ServerlessHttpApi}.execute-api.${AWS::Region}.${AWS::URLSuffix}/auth/google/callback
+    Value: !Sub https://${GmailTranslatorHttpApi}.execute-api.${AWS::Region}.${AWS::URLSuffix}/auth/google/callback
   GmailConnectionsTableName:
     Description: DynamoDB table for per-user Gmail connections
     Value: !Ref GmailConnectionsTable