Secure your Cloud Native Serverless Application with Arculix

Introduction

With the surge in the cloud adoption, software architects are tempted to build Cloud Native applications. Cloud native applications utilize cloud resources efficiently, reduce costs, decrease system operations, and improve the scalability of the application. A common approach to build cloud native applications in AWS is to use AWS API gateway on top of a serverless/server full application architecture, Separating the code logic from the resource routing and security management. This article will take you through how to secure your cloud native architecture with Arculix, SecureAuth’s next-generation authentication solution. We consider your application is a microservice or an application that another application will call. This blog is not about the case when the user of your application is another human user, but another application. The application uses Oauth2 protocol for communicating with Arculix as our identity provider. For this, you will need a subscription in Arculix SaaS, the right permissions to be able to create credentials in Arculix, and an AWS account.

Architecture

We assume your application is behind an AWS API Gateway. We integrate Arculix directly in the Authorization path of the Gateway. All authentication and users’ management are performed in Arculix as you usually do for your organization’s users.

AWS API Gateway is a scalable and resilient API Gateway; it supports both RESTful APIs and WebSocket API. API Gateway already has a monitoring dashboard which helps in monitoring and operations, and it is easy to integrate the API Gateway with Amazon CloudWatch to store and search the API’s logs. AWS API Gateway is serverless, you pay as you go. Billing API Gateway is per number of calls, around a dollar for 300 million calls.

In the following figure we show how we secure AWS API gateway with Arculix. The setup consists of AWS API Gateway, authorization Lambda and a set of lambda functions representing the application that we are securing with this setup.

Figure 1, “Secure your Serverless App with Arculix” architecture.

In the following we discuss the flow of authentication, an example of the authorization lambda and finally how we setup the API Gateway to utilize the authorization Lambda.

The flow of Authentication

As described in Figure 1, the authorization starts from:

1. calling Oauth2 APIs in Arculix to get token. You need to provide your User Application credentials (client Id and Secret) with a scope of “client_credentials” in the call parameters.
2. Auth/token will send you back the token with the allowed scopes for your client.
3. Later you can use the token in your calls to the API gateway, passing the token in the call header (key “Authorization”, and value is the token).
4. The API Gateway will contact Arculix to verify your token. This will happen by calling the Authorization Lambda. Later in this blog we will provide a blueprint for the Authorization lambda. The Authorization Lambda will use its own credentials to connect to Arculix. Therefore, we will need another set of credentials for our blog testing.
5. Arculix will send back the confirmation about the validity of the token and the scopes allowed for this token.
6. Authorization lambda will check the scopes and then authorize/deny access.  Authorization lambda sends back a policy containing the authorize/deny information, this policy is cached in the API Gateway for max 1 hour (adjustable by the user).
7. When the API gets the policy that allows access to the resources form the Authorization lambda, the API Gateway will send the call to the configured resource.
8. Finally the response from the resource will be forwarded back to the User Application.
9. In the following paragraphs, we will show the details about how to create this flow. We show how to create the credentials in Arculix, Create the authorization lambda, and configure API Gateway method to use the Authorization Lambda.

Create Arculix Application key.

To start, you need to create an application key to use in authenticating your app with SecureAuth Arculix. To do so, you need to access Arculix UI and follow the following steps:

1. Open your account in Arculix and choose “Applications”, as shown in the next figure.

2. Click on “Create New application” button.
3. Fill the application name (e.g., Serverless App) and click “Save”.

4. Edit the created Application “Serverless App” and click on Advanced.

5. Click on “Click to Reveal” and copy both the UID and the Secret. Save them for later, we will use them in setting up your authorization Lambda.

Out of Arculix UI, you will end up with a user ID and a secret that you will use in the next step.

Create your Authorization Lambda

Before we create the AWS Lambda for Authorization, we need to create a client ID and secret following the above-mentioned steps in Arculix UI. Once the Credentials are created, we need to create a secret in AWS Secret Manager to store this secret. Following the best practices of security, we advise not to store Arculix application credentials in the Lambda configurations nor code.

1. Navigate to Secret manager and create a secret.
2. Fill in the details of the secret in the key value as shown in the following figure.

3. Name the secret “/arculix/dev/UserAPPLICATION”.

To create the authorization Lambda, you need to login your AWS account and navigate to Lambda service.

1. Click on “create Function”.
2. Select “Author from Scratch”.
3. Fill in the Lambda name (e.g., ArculixAuthorizer) and set the Runtime to “Python 3.9.”

4. Click “Create Function”.
5. Fill in the code by coping the following template.

For a full example of the Arculix lambda authorizer code, click on this link. Note: make sure to change the domain name in the code to your own domain URL.

Configure your AWS API Gateway to use the Authorizer Lambda

We must create a lambda authorizer first, then we link it to the method of choice in AWS API gateway. If you have never created an API gateway resource before, follow the following documentation to create API Gateway resources and Methods.

In this section, we assume that you followed AWS documentation to create an API Gateway and create your own resources and methods.

To create a link between API Gateway and the authorizer lambda that we created, you need to:

1. Navigate to Authorizers section of the API Gateway that you have created, as shown in the figure.

2. Click on Create New Authorizer.

3. Add the Authorizer name (e.g., ArculixAuth).
4. Navigate to your lambda function that you created in the previous section.
5. Set the Lambda Event Payload to Token.
6. Set Token Source to ‘authorizationToken’ (you can change the name of the key but make sure that it matches the naming in your Authorization lambda).
7. Enable Authorization Caching.
8. Click Create.
9. Test the Authorizer by providing the Token that you got from.
10. Navigate to your Method that you intend to add the authorizer.
11. Click on Method Request
12. Click on the pen next to Authorization. If you cannot see your Authorizer in the drop-down list as shown in the next figure, refresh your browser page.

13. Go back and deploy your API again.

Conclusion

In this blog, we discussed how the flow is implemented between two applications secured with Arculix for authentication. Arculix distributes the clients ID and secret that the two applications use to communicate and identify themselves. We chose to implement the solution using AWS API Gateway and Lambda functions to show how easy it is to integrate Arculix with modern architectures and how to use a Serverless infrastructure with Arculix. The solution includes a blueprint code that is a modification of the blueprint code of the authorizer lambda that AWS provides in their documentation. The code is fully functional, feel free to test the code and provide us your feedback.

Request a Demo of Arculix today.

Note: This was co-authored by Mariusz Zyla, a Senior DevOps

About the Author: Abdulrahman Kaitoua

Abdulrahman Kaitoua is a new member of the SecureAuth technical staff as SecureAuth’s Principal Data Engineer. Dr. Kaitoua is a seasoned Data and AI/ML architect and has led major data driven projects. He comes with an academic pedigree in addition to his industry experience and success. Kaitoua has research experience in 4 universities and 4 different countries covering Distributed systems, Bioinformatics, AI and Machine learning, and data analytics. Over the course of his career, Dr. Kaitoua has co-authored over 30+ academic papers have been granted 2 patents, and the best practical Ph.D. award of 2017 in Politecnico di Milano, Italy.