One Auth to Rule them All: Centralizing Authentication with Azure and API Gateway by F.Karailanidis

Authentication and authorization were centralized using AWS API Gateway with Lambda Authorizer and Azure Active Directory, reducing implementation complexity across services

JWT tokens from Azure AD were leveraged, with access tokens used as bearers instead of ID tokens for proper authorization flows

App roles in Azure AD replaced AD groups for permission modeling, providing better application-specific access control and simpler management

Lambda Authorizer validates tokens and handles authorization logic centrally, forwarding permitted requests through API Gateway

Caching layer was implemented to reduce Azure AD API calls and improve performance

HTTP header size limits (8KB default) need consideration when passing group/role information

Architecture separates authentication concerns:

• Frontend handles user login/UI
• API Gateway/Lambda manages token validation
• Backend focuses on business logic

Key challenges included:

• Token validation restrictions with Azure AD
• API Gateway timeout limits
• Legacy system integration
• Administrative overhead of permission management

Solution provided consistent authentication across 30+ languages and 10M+ clients while supporting both modern and legacy applications

Implementation allows for environment-specific permissions and reduces duplicate authorization code across services