AWS Lambda Function SPA

I am creating a Lambda function, which implements multiple path endpoints. I want zero trust implementation. I set up the Lambda with the path “/” triggering a redirect for Okta SSO authentication. I was following How to Write a Secure Python Serverless App on AWS Lambda | Okta Developer, but it is incomplete. With the Okta callback to “/path” comes a code on the query string along with a state. I need to validate the user was successfully authenticated and not just hitting my callback path. If I go through the Okta SSO unsuccessfully, I can see that I get an error in the query string. But if someone does that once, they have my callback path and can just forge a callback. So, how can the Lambda confirm that the code/state are valid?

Secondly, I will have other “API” endpoints on my Lambda. So, I want something that can be passed in (like a token) for each API call. Can the code/state from the SSO login be used for that?

Hi @buchs, the code you get back is an authorization code which is part of the authorization code flow. You will need to exchange the authorization code for an id token/access token via the /token endpoint. Check out this doc - Implement authorization by grant type | Okta Developer.

1 Like

Thanks @dawoudt . . . . . . .

1 Like