The process for connecting a custom authorizer to the API Gateway is the same as with the Cognito authorizer. We can implement the authorizer function in the same project, as we have in this recipe, or it can be implemented in another stack so that it can be shared across services. The jwks-rsa and jsonwebtoken open source libraries implement the bulk of the logic. First, we assert the presence of the token and decode it. Next, we use the key ID (kid) that is present in the decoded token to retrieve the .well-known/jwks.json public key for the issuer. Then, we verify the signature of the token against the key and assert that the audience (aud) and issuer (iss) are as expected. Finally, the function returns an IAM policy that ...