A developer is designing a serverless application using AWS Lambda, Amazon API Gateway, and Amazon DynamoDB. The application must authenticate users using a third-party OIDC identity provider and authorize each request. Which THREE steps should the developer take? (Choose THREE.)
Cognito can federate with OIDC providers.
Why this answer
Option A is correct because Amazon Cognito user pools can be configured to federate with third-party OIDC identity providers. This allows the user pool to act as an intermediary that handles the OIDC token exchange, issuing its own JWT tokens after successful authentication. This is the standard approach for integrating external OIDC providers with AWS serverless applications.
Exam trap
The trap here is confusing the role of API Gateway authorizers: candidates often pick IAM authorizer (Option C) thinking it can validate JWTs, but IAM authorizers require AWS SigV4 signing and are not designed for OIDC token validation, while the Cognito user pool authorizer is the correct choice for JWT-based federated authentication.