Using external oAuth2 system

Question

I'm working on a web application. This uses API's from a 3rd party system. To authenticate with the system a plain oauth2 scheme is used. A call is made to the /authorize endpoint. This redirects to a login page. Upon successful login, the user gets redirected to a URL with am authorization-code as parameter. Using this authorization-code an access token is then requests through the /tokens endpoint. This returns a simple JSON document with the bearer token (no JWT), expiry time and refresh token. Works fine.  
  
I would now like to authenticate my own API's (API gateway REST or HTTP API's) against this 3rd party system. Would there be a way to integrate this with e.g. COGNITO is some way? Ideally Cognito should "front" this 3rd party system and just provide me app a JWT or so. Or are there solutions to authorize API gateway directly against such a 3rd party?  
  
Thanks.

Answer

In theory, this should work out of the box as a JWT authoriser with APIGW HTTP APIs \[1]. Every OAuth2/OIDC implementation has quirks, though, so interoperability isn't _guaranteed_. You'll need to work out the _issuer_ endpoint for your authentication provider -- it should be the _iss_ claim in a JWT issued by the provider.  
  
Also, I'm pretty sure APIGW doesn't support redirecting unauthenticated requests to the authentication provider's authorisation endpoint. That might make things a bit trickier, depending on how your front-end app works.  
  
\[1] https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-jwt-authorizer.html

Answer

I reworked the architecture to handle this differently.

Using external oAuth2 system

Relevant content