Hi folks! I'm new to AWS and diving into authentication, so please bear with me. I'm building a personal project where users log in and store data in a database, and I've set up a basic architecture:
- There's a public-facing Application Load Balancer (ALB) that forwards requests to a frontend hosted on an ECS service using Fargate.
- This service then sends traffic to an internal ALB, which routes requests to a backend ECS service, also on Fargate.
- The backend is configured to write data to DynamoDB via VPC endpoints and handles authentication using IAM.
All components are in private subnets with no internet access. Now, I want to add authentication and chose Clerk for this (though I'm open to using other options). After integrating Clerk into the frontend, it sends a Bearer token to the backend, which then tries to validate the JWT against Clerk's JWKS URI.
This worked well when the backend had internet access, but now, without it, the backend can't access Clerk's JWKS endpoint to validate the token. I thought about using a Lambda function (which does have internet access) to handle JWT validation:
Backend → Lambda → validates JWT → returns result → Backend → Frontend.
But I couldn't find solid examples or resources for this setup. Has anyone tackled a similar situation? I'd appreciate any advice or pointers!
1 Answer
Your current approach sounds complex! Instead of offloading JWT validation to Lambda, consider using AWS Cognito directly. By adding Cognito to the HTTPS listeners of your ALB, you can handle authentication at the gateway, preventing unauthorized requests from reaching your backend altogether. This simplifies the architecture significantly, and you wouldn't need to manage any manual token verification.
That sounds like a good idea! I wanted to build everything from scratch to learn, but easing off on complexity might help me focus on other aspects.