The tech stacks are reactJS in the frontside and the backend is powered by APIGateway and Lambda. I am using Auth0 as Identity service in my react App. On authenticating through one of the social logins given by Auth0, I get back access_token, id_token and expiry_time. Further, I can get User's Information such as emailIdusing the id_token. Now, I need to protect/prevent access to my backend namely the APIGateway and Lambda.
There are lot of options to protect access to AWS APIGateway like IAM authorizer, custom authorizer. There is a Auth0 documentation on how to use IAM authorizer with Auth0. I would like to know, how to use custom authorizer. I understand the high level architecture of how custom authorizer works.
Here are my questions regarding custom authorizer:
1Q. By using react auth0 authentication module, I get back access_token, id_token and expiry. The received access_token is not a JWT. How to get a JWT access_token, so that I can pass it through Authorization header.
2Q. I see a separate section called APIs in Auth0 dashboard. This is highly confusing and ambiguous. In my understanding, this Auth0's API section require a separate call to Auth0 server and receive new access_token, which is different from social login's access token. Why can't I use the access token from react's Auth client? I may be wrong, but I dont understand this API section in Auth0.
3Q. Assuming somehow, I send the access_token in the authorization header, how do I verify that in custom authorizer's Lambda. There are several blog posts on this, but each post follows a different approach. Some use id_token for verifying, others use jwt package to just decode, but I dont see a verification call to Auth0.
There are some blog posts on authorizing APIGateway with Auth0, but they are either old/deprecated or using some hacks to authorize it. It would be good, If we can document the proper method of authorizing an APIGateway using Auth0.