I'm new to AWS Amplify. I'm using AWS amplify Datastore in my react native frontend to do query, update and create mutations from the frontend. I can see that I use 'api-key' as the default authorization in graphql api settings page, But I can't find this api key in the frontend. I want to know where this api key is stored in frontend and how to prevent exposing it and how can I use another authorization instead of api-key to increase security ?
Related
how to update amplify backend api?
I update backend of amplify for Cognito for password policy. Though not sure how to update the aws backend API files locally... it seems the backend json still holds the original init values.
In my React app all users are enabled to use a feature that makes use of an API (GraphQL) to mutate data in DB. My React app is hosted and served using AWS Amplify and my API is on AWS Appsync. Previously I used an API KEY to authenticate my app to my API, however, now I would like to change authentication method from API KEY to IAM. I have changed the Default authorization mode in the AWS Appsync Console (see attached image) and done amplify push and amplify codegen, however when I test my app in both development and production environment I get status code 401 (sometimes 403) from my API whenever I try to call it, what am I missing?
I haven't added any additional configuration on the app side, not sure where and how to add the appropriate credentials.
Changing directly in the console will not reflect in other environments with amplify push also it's not recommended.
Try using amplify update api with AWS CLI,
and do amplify push, it will update the auth config.
I am trying to create a new API using
AWS API Gateway (backed by an AWS Lambda)
Swagger UI
Authentication (OAUTH2 with Okta)
I can create a new service with Pythong + Flask + Swagger and host a docker container, which I can develop, but I'm trying to keep it serverless and use the combination of technologies in my list above.
Any help would be greatly appreciated!
I'm assuming you want to know more about the OAuth part using Okta. You'll have to create a Lambda authorizer that will perform the introspection of the token from Okta.
For the serverless API, you'll have to break your service into functions. An approach is to have one function for each RESTful resource+method:
GET /books/{id} -> getBookFunction
PUT /books/{id} -> updateBookFunction
DELETE /books/{id} -> deleteBookFunction
Lastly, if you have a well-defined Swagger file. You can use it to create your API in API Gateway. You may also use x-amazon-apigateway-* in your Swagger file and define your resource backend to refer to a Lambda function's ARN. Documentation can be found here
Yes, you're right, the question is more around how to integrate Oauth2 (Okta) with a swagger UI using AWS API Gateway.
API Gateway 2.0 already provide the ability to inspect the JWT token from Okta, so no need to create a custom Lambda there.
I'm not sure how to get this ability with redirects configured in a Swagger UI, and have the user login using the implicit/authorization-code Grant-Type and let the user interact with the swagger page.
For example, suppose I created
Users in Azure AD
Application in Azure for a restful API
API Management Service which delegated to this application when validating a token in requests (scope)
Then, I switched to AWS API Gateway RestAPI as my API front end gateway, but still have my users defined in AzureAD.
How can I add authentication to the AWS RestAPI such that requests with tokens are validated against the users and scopes defined in Azure AD application?
Said another way, If I was to go with Azure API Management service, I could create an application in azure, add users to that application, add roles to users within that application, and once I setup the API within the api management service instance, point to this application when validation tokens.
Is it possible to use AWS RestAPI and authenticate requests against an Azure AD app with the mix of technologies I described above?
Perhaps another way of asking this would be to ask:
How do I setup authentication with AWS RestAPI with https://auth0.com/?
The same area of the policy to update may be the same. Any insight is appreciated.
The comparable substitute in Azure is here
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad#configure-a-jwt-validation-policy-to-pre-authorize-requests
I see some docs for HTTP APIs here https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-jwt-authorizer.html But I am specifically looking for this type of feature in RestAPI
We have our rest API deployed on AWS Lambda behind API Gateway. For users that use our web client, they are authenticated using API Gateway Authorizer through JWT token from Cognito.
Now we want to give users the ability to create their own API credentials (API key and secrets) so that they can use the REST APIs directly without using the web client. How can we achieve that?
yes you can do it you can use federated identity and make user to signup and they can get their own api key and secrets. you can also change the flow of the cognito as per your need and make new lambda and add it to cognito as trigger.
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html