Amazon API Gateway Lambda Authorizer Performance consideration

Amazon API Gateway Lambda authorizer is a feature provided by Amazon API Gateway to separate the authorization logic from the business logic . This is useful when your application is split across many functions in multiple services. The customers have their existing identity providers , building a Lambda authorizer allows users to access API Gateway resources by using their third-party credentials without having to configure additional services.

Performance Improvement with the Lambda Authorizer:

One of the popular pattern Lambda Authorizer provides fine grain access to backend service using JWT Token and Lambda Authorizer and AWS IAM integration, It causes delays due to added latency in your API Gateway calls. This is due to cold start with AWS Lambda and external call to the Authorizer end point depending on the identity provider.

In this post, you will learn how to improve the performance Lambda Authorizer performance and reduce the round time using the below solution and other performance consideration

Flow Sequence:

Step1: JWT Retriever is a AWS Lambda function which download public key from the authorizer endpoint and cached it in Amazon DynamoDB. JWT Retriever function need to be scheduled in Amazon Cloud watch event scheduler so that any rotation of the new key will be taken care based on the validity of the certificate.

Step2: User login to the identity provider, which issues an access token to a client.

Step3: The client issues a request to Amazon API Gateway and includes the access token in the Authorization header.

Step4: The Amazon API Gateway resource forwards the token to the Lambda authorizer.

Step5: The Lambda authorizer authenticates the token with the cached certificate in the Amazon DynamoDB instead of calling the identity providers endpoint.

Step6: The Lambda authorizer executes the authorization logic and creates an identity management policy.

Step7: Amazon API Gateway evaluates the identity management policy against the Amazon API Gateway resource that the user requested and either allows or denies the request. If allowed, Amazon API Gateway forwards the request to the backend services.

The other design considerations for Lambda Authorizer:

Use Provisioned concurrency which will make the lambda authorizer faster execution and reduce the latency

Cache the authorizer response with time to live (TTL ) settings so that for every call to API gateway for the same id lambda authorizer will not be invoked till the TTL.

Evaluating the optimized runtime environment and memory settings for the lambda authorizer.

Conclusion:

Lambda authorizers can provide a number of benefits such as integrate with third-party identity management services directly, without identity federation , custom authorization but can create latency issue as well with more downstream API call with other AWS account . The above solution shows how the performance of Lambda Authorizer can be improved and reduce the latency .