I am creating a Lambda function, which implements multiple path endpoints. I want zero trust implementation. I set up the Lambda with the path “/” triggering a redirect for Okta SSO authentication. I was following How to Write a Secure Python Serverless App on AWS Lambda | Okta Developer, but it is incomplete. With the Okta callback to “/path” comes a code on the query string along with a state. I need to validate the user was successfully authenticated and not just hitting my callback path. If I go through the Okta SSO unsuccessfully, I can see that I get an error in the query string. But if someone does that once, they have my callback path and can just forge a callback. So, how can the Lambda confirm that the code/state are valid?
Secondly, I will have other “API” endpoints on my Lambda. So, I want something that can be passed in (like a token) for each API call. Can the code/state from the SSO login be used for that?