I need to develop a private API Gateway at the company where I work.
What left me in doubt is that when using amazon cognito's OAUTH2.0, it generates a URL for authentication.
But I didn't find anything on the web talking about such an authentication for a Private API.
This url for authentication of amazon cognito will always be exposed on the internet? Can I develop a Private API with a cognito private authentication url?
You can have a private api with public authentication, but there is no concept of private authentication with the Cognito User Pools hosted UI. End users will be able to authenticate, but not call your api unless they are in the VPC. This blog describes an approach if you don't use the hosted UI.
Related
I am trying to run a cloud run/ cloud functions service through google API gateway. I am using firebase authentication on the gateway as security.
Initially, I had my services private and was getting 403. It gave me 200 once I added allUsers with Cloud Run Invoker to the permissions to the service I am trying to invoke. So I am a bit confused here. Part of the reason I am using API gateway with firebase auth is to protect it against unauthorised calls. And for firebase auth to work, I had to add allUsers, making it public. My understanding was that the API gateway alone would be public while all the backend services that it invokes would be private. In this case, the service can be directly invoked by anyone, rendering the security at the API Gateway useless. How can I setup the backend to private and only respond to authenticated calls through API gateway ?
I am trying to implement ALB with OIDC for grant type Client Credentials.
I have given Issuer, Token endpoint, Client ID, and Client Secret, Authorization endpoint and User info endpoint in Listeners tab of ALB
But i get 400 invalid redirect_uri while trying to access the url.
We explored ALB for client credentials authentication but failed to implement that. After checking with AWS support team, we got confirmation that AWS ALB don't support Client credential authentication mechanism and supports only Authentication code flow.
We switched to AWS API gateway with lambda authoriser to implement client credential flow.
I have a backend service, which I don't want to be expose, and also, just the employees that uses Gsuite oAuth should access.
Instead of exposing the backend and add the logic of oauth in it, I looked at the vouch-proxy project, which fits me very well (a proxy that redirects unauthenticated traffic to oauth login page and then, when a valid token is passed, it's redirect to the backend.
Before using this vouch proxy, do GCP has something built-in for it? Or another kind of setup that my backend service is not exposed?
Google Cloud provides the Identity-Aware Proxy (IAP) that would precisely fit your needs since it's integrating well with G Suite domain and can sit in front of your Load-Balancer.
I have hosted a static site in an S3 bucket with links to a REST API that I have deployed using Amazon API Gateway. Now I would like that the methods of the REST API can only be invoked from the static site.
In order to write the Resource Policy I can't allow for a static IP, because AWS is very clear that the IP of an S3 site is dynamic. The only option I can think of is enabling CORS in the API Gateway and configuring the Access-Control-Allow-Origin to be the domain of the static site. But that doesn't seem very convincing to me..
Is there a better alternative?
You couldn't do that anyway, as the API Gateway request comes from the browser of the visitor, not from server-side of the S3 hosting service.
CORS will restrict other websites calling your API using regular browsers, but a REST API client can call it without restrictions.
If you want to restrict access, either use an API Key (more obscurity than security) or implement a Custom Authorizor in API Gateway to authorise your clients. See here: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html
how to make aws cognito as authentication in asp.net rest api, That is asp.net rest api will be hosted in IIS and its authentication should be from aws cognito, please give if this is possible?