How to authenticate Guest/Unauthenticated users with API Gateway Cognito Authorizer? - amazon-web-services

In API gateway you can setup a Cognito Authorizer that references a Cognito User Pool for authentication. For verification, API Gateway expects the Cognito User Pool JWT token to be set in the Authorization header.
Using 'aws-sdk' and 'amazon-cognito-identity-js' NPM packages, how can I create guest/unauthenticated users and retrieve the JWT token to pass to API Gateway? By Guest/unauthenticated, I mean not even having a username or email. Or, is this not possible with the current APIs?
Amplify (built on top of Cognito) appears to have something similar: https://docs.amplify.aws/sdk/auth/guest-access/q/platform/android
Thoughts?

Cognito User Pool is an authentication provider. This is separate from unauthenticated access that is provided by Identity pool. You cannot use the default cognito authorizer in API Gateway for validating the token. However, you can use a custom lambda authorizer that will take token and confirm it is valid for your identity pool.

Related

AWS API gateway for K8s using Cognito with JWT

I have AWS K8s cluster(EKS) and I want to use AWS API gateway to protect endpoints and separate authorization logic from microservices. I need to have 2 authentication schemas:
Send login/password and get JWT
OAuth2
There is an integration between API gateway and K8s cluster via ALB Ingress Controller. It looks fine. Then I need to authenticate somehow. AWS provides Cognito as a service to manage users and the possibility to have your own identity provider. I know that we can integrate API gateway authorizer with Cognito, but I can't understand the following things:
How to integrate Cognito with already existed LDAP for example? (SAML?)
Can I use my own already created OAuth2 authentication endpoint?
How Can I authenticate with login/password and retrieve JWT using API gateway+Cognito?
1 How to integrate Cognito with already existed LDAP for example? (SAML?)
Make use of Cognito Userpools with SAML IDP.
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp.html
2 Can I use my own already created OAuth2 authentication endpoint?
Yes, use Developer Authenticated Identities for Cognito Identity Pools.
Users that authenticate from the existing user database will be authorized by identity pools through assuming the authenticated IAM role of the identity pool, in that role set the access level to AWS resources.
https://docs.aws.amazon.com/cognito/latest/developerguide/developer-authenticated-identities.html
3 How Can I authenticate with login/password and retrieve JWT using API gateway+Cognito?
Best way to achieve this seeing that API Gateway is being used is to implement a Lambda authorizer in API gateway that uses Cognito Userpools. You will then be able to get the JWT token in that Lambda authorizer, the claims in the authorizer will also be available in the integration request vtl and accessible using $context . i.e.
$context.authorizer.claims.sub
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html

Trying to setup user pool authentication for API Gateway

I'm trying to setup security on an API using Cognito user pools. I'm getting back 401 Unauthorized.
The API and User Pools are existing, and I've been using the user pool to log into an application. I'm now trying to secure the API calls.
I created an authorizer on the API,
Then I added the authorizer to one GET method in the API
Then finally I tried to test the API in Postman. I'm using the AWS Signature authorization.
Calling the method returns 401. The method functioned before with no security, and turning off the authorizer makes it work again (without security).
Any ideas what step I'm missing?
The AWS Signature authorization is different than a Custom Authorizer.
The AWS Signature authorization (Postman) requests an AWS AccessKey and SecretKey to authenticate requests. This corresponds to IAM Authentication in API Gateway. The AccessKey and SecretKey are received through IAM.
A Custom Authorizer takes a JWT called #id_token that is issued by your specified Cognito User Pool. To test the validity of the token, go to your custom authorizer and click test, and then copy and paste the token into the text area.
The way to perform the Custom Authorizer authentication is this:
obtain an #id_token from the your user pool by following AWS Configuration
Configure API gateway with a Cognito custom Authorizer with your user pool as the source (Seems that you have done correctly)
Use OAuth 2.0 as Authorization in postman, with your #id_token as the Access Token, Or add the header: Authorization with the value Bearer and the #id_token
Drop a comment if you want me to add the AWS Signature Auth Flow.
For authorization using Postman when using Cognito user pools, chose No Auth. Then add a header Authorization (the value in token source field of your authorizer) and copy the id_token into that header value. I did not have to add anything else besides that to make it work (i.e. no bearer).

aws cognito, api gateway and cognito with postman

How do I call API gateway with postman with cognito?
Tried to use AWS Signature in postman and this did not work.
https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-use-postman-to-call-api.html
I am using hosted UI in cognito if that makes a difference. I see that there is an Oauth 2.0 option in postman but dont know how to fill out the fields.
So my api works when I pass Authorization in the header with the id_token. Without the id_token is there any other way?
thanks
If you are using a Cognito user pool and have your API Gateway authorizer set to user pool, then you need to pass either the id or access token in the Authorization header.
If you are using a Cognito identity pool and have your API Gateway authorizer set to AWS_IAM you need to use AWS signatures

How to authenticate user in AWS Custom authorizer?

I'm trying to use AWS custom authorizer in API Gateway. If I understood correctly, then I should authenticate user in custom authorizer. I don't know who sends the request. I should detect the user by token using my own services. Right?
There are multiple authorizer options available
IAM authorizer
Cognito authorizer
Custom authorizer
If you use STS issued token to grant access to your AWS resources then you can use IAM.
Similarly Cognito authorizer is to authenticate the Cognito Userpools id token.
If you have your own authentication scheme or need customize authentication mechanism, you can use Custom authorizer.
Just wanted to add my 2 cents here, here is the flow :
Once the bearer token (you can use JWT as well), is issued to the
client (i.e. mobile app/web app), the client invokes REST API created, configured and deployed through API Gateway.
The custom authorizer, which is a lambda function written in Java
(you can implement it using NodeJS, C#, Python), would need to verify if the bearer token is valid. In my case, Bearer token is hashed using the SHA-512 algorithm. So we basically match if the token
stored in DB and the token presented by the client matche.
If the token matches then, custom authorizer returns IAM policy Allow but
it token is not correct then it returns IAM policy Deny,
The API gateway reacts based on the response from custom authorizer, if the policy is allow it passthrough the call to backend else it would return HTTP code 403.
Hope it would help.

Does Cognito User Pool Authorizer in Gateway API require all requests to be signed?

The documentation for using Cognito User Pool Authorizer with Gateway API says only that I should:
Call API methods configured with a user pool authorizer, supplying the unexpired token in the Authorization header or another header of
your choosing.
This is echoed by some other texts on the web.
However, when I try using the token, I get an error message that informs about missing Credentials, Signature, Signed Headers params (and the Date header). The token I am using is most likely correct as passes the test in the authorizer's web gui.
My question has two parts:
Does that mean that using the Cognito User Pool Authorizer requires
me to sign each request? Is there some way to configure it to just
accept a valid token?
If I want to keep my HTTP calls to Amazon Gateway simple and
authorize them with just the token (so that they can easily be
performed by hand, from Python backend etc.), am I forced to write a
custom authorizer using Lambda? Or is there some better option?
Cognito User Pool authorizer does not require a signature on the request. You simply have to pass the JWT version of the OpenID Connect identity token produced by Cognito in the authorization header of each request.
result.getIdToken().getJwtToken()
This should answer both your questions.
I think you are getting confused with the Cognito Identity service, which exchanges a valid identity from a public identity provider (Facebook, Amazon, User Pools, etc) for temporary AWS Credentials. You can use the AWS credentials from the Cognito Identity service to sign requests.
If you are only using User Pools, the result of a successful authentication are an OIDC identity token and a JWT access token. API Gateway, when configured with a User Pool authorizer, uses the identity token to authenticate a request.