Apply an OpenID token enforcement policy on the API gateway. Configure your Salesforce instance as a client management provider on Mulesoft’s Anypoint Platform. With this configuration, the API gateway uses your Salesforce instance as its authorization provider in the OpenID Connect dynamic client registration flow.
Full Answer
How Salesforce and AWS API Gateway works?
Connection b/w Salesforce and AWS api gateway has been made through open authentication. I will have separate article for security consideration b/w salesforce and AWS connection Platform Event is subscribed and in turns it calls amazon gateway and pass data. Amazon Gateway receives the data and transform and pass to amazon lambda.
Can AWS connected customer data to Salesforce as a contact automatically?
If the registered customer data can be reflected in Salesforce as a contact automatically, then a cumbersome manual upload of the data can be avoided. Let’s look at some example scenarios of what AWS and Salesforce connectivity can accomplish.
What are custom request authorizers in Amazon API gateway?
Today Amazon API Gateway is launching custom request authorizers. With custom request authorizers, developers can authorize their APIs using bearer token authorization strategies, such as OAuth using an AWS Lambda function.
How does a partner authorize a client using the API gateway?
The partner sends a request with the client credentials to the API gateway by specifying the grant type (authorization code) to approve the client with. The partner is redirected to a browser to log in to Salesforce, and to authorize access to data.
SaaS Integration Service
To demonstrate an approach to connecting Salesforce and AWS, we have created a software-as-a-service (SaaS) integration service running in an Amazon Elastic Compute Cloud (Amazon EC2) instance within a VPC.
Scenario 1: Attaching Contracts to Opportunity Records
John, an IT Manager at Acme Inc., who is responsible for managing his company’s Salesforce subscription, is looking for an easy way for the sales team to attach contracts to customer Opportunity Records in Salesforce. John is also looking to create an archive for the entire Opportunity in Amazon S3, which is Acme’s data lake back-end service.
Scenario 2: Meeting Security Requirements
Jane is a web developer for Acme who is working on an assignment to deliver an external-facing blog portal that would be leveraged by Acme’s employees to communicate their engineering and innovation thoughts to the world.
Conclusion
Both scenarios in this post demonstrate the value that enterprises can realize by leveraging AWS service to integrate customer data between AWS and Salesforce.
Salesforce – APN Partner Spotlight
Salesforce is an AWS Competency Partner. They are a leading customer relationship management (CRM) platform, and the announcement from AWS and Salesforce about our extended strategic alliance underscores the opportunity to help enterprises get more out of their customer data.
Lambda authorizer Auth workflow
The following diagram illustrates the authorization workflow for Lambda authorizers.
Steps to create an API Gateway Lambda authorizer
To create a Lambda authorizer, you need to perform the following tasks:
Create an API Gateway Lambda authorizer function in the Lambda console
Before configuring a Lambda authorizer, you must first create the Lambda function that implements the logic to authorize and, if necessary, to authenticate the caller. The Lambda console provides a Python blueprint, which you can use by choosing Use a blueprint and choosing the api-gateway-authorizer-python blueprint.
Configuring custom authorizers
You can configure custom authorizers from the API Gateway console or using the APIs. In the console, we have added a new section called custom authorizers inside your API.
The authorizer function in AWS Lambda
API Gateway invokes the Lambda authorizer by passing in the Lambda event. The Lambda event includes the bearer token from the request and full ARN of the API method being invoked. The authorizer Lambda event looks like this:
Conclusion
You can use custom authorizers in API Gateway to support any bearer token. This allows you to authorize access to your APIs using tokens from an OAuth flow or SAML assertions. Further, you can leverage all of the variables available to IAM policies without setting up your API to use IAM authorization.
Does Salesforce require OAuth 2.0?
Setting up OAuth 2.0 requires that you take some steps within Salesforce and in other locations. If any of the steps are unfamiliar, see Authorize Apps with OAuth in Salesforce Help. The following example uses the web server flow.
Can you use session ID instead of OAuth 2.0?
You can use a session ID instead of an OAuth 2.0 access token if you aren’t handling someone else’s password: Obtain a session ID, for example, a SOAP API login () call returns the session ID. You can also have the session ID, for example as part of the Apex current context.
Benefits of using third-party tokens with API Gateway
Using a Lambda authorizer with third-party tokens in API Gateway can provide the following benefits:
Solution overview
The following diagram shows the authentication/authorization flow for using third-party tokens in API Gateway:
Prerequisites
To build the architecture described in the solution overview, you will need the following:
Building a Lambda authorizer
When you configure a Lambda authorizer to serve as the authorization source for an API Gateway resource, the Lambda authorizer is invoked by API Gateway before the resource is called. Check out the Lambda Authorizer Authorization Workflow for more details on how API Gateway invokes and exchanges information with Lambda authorizers.
Deploying the Lambda authorizer
To deploy your Lambda authorizer, you first need to create and deploy a Lambda deployment package containing your function code and dependencies (if applicable). Lambda authorizer functions behave the same as other Lambda functions in terms of deployment and packaging.
Testing the results
With the Lambda authorizer configured as your authorization source, you are now able to access the resource only if you provide a valid token that contains the email scope.
Conclusion
In this post, you saw how Lambda authorizers can be used with API Gateway to implement a token-based authentication scheme using third-party tokens.