OAuth Authentication

Zuplo comes with build-in and extensible OAuth policies out of the box. These policies allow you to easily authenticate requests using popular services like Auth0, AWS Cognito, and more.

Some of the built-in policies are listed below.

• OpenId JWT Authentication Policy
• Auth0 JWT Authentication Policy
• Okta JWT Authentication Policy
• AWS Cognito JWT Authentication Policy

Request User#

The OAuth policies will validate and decode the incoming JWT and add the data from the JWT. If the user is successfully authenticated the claims of their JWT access_token will be available on the request.user object.

The user's identifier (also known as the sub or subject) is available on the request.user.sub property. Other claims can be found on the request.user.data object as demonstrated below.

async function (request: ZuploRequest, context: ZuploContext) {
  // Log the user's sub
  context.log.debug(`User ${request.user.sub} is authenticated`)
 
  // Check a custom claim
  if (request.user.data["orgId"] === "1234") {
    // do something
  }
}

Authorization Header#

The built-in policies will validate the incoming JWT on the Authorization header. By default, the Authorization header will be left on the request and forwarded on to your backend.

It is not recommended to validate the Access Token on both the gateway and the backend. However, by forwarding the header to the backend you can transition your API from doing authentication on your backend to authorizing at the Gateway. See this blog post for more details.

If you would like to remove the authorization header after you use one of the authorization policies, simply add the Remove Request Headers policy after the authorization policy and set it to remove the Authorization header.