I want to Authorize the request to API Gateway using COGNITO_USER_POOLS or API Key, That is the incoming request can have either of authentication token(using COGNITO_USER_POOLS) or API Key
Is there anyway to configure both types of authorization and use either of one of them to authenticate on a single API Gateway resource?
Related
Can anyone please help me with this Use-case?
Use-case : I've created the secure proxy for a private resource in the AWS API gateway. For private integration I've used VPClink and configured the Cognito pool authorizer. But the backend private API already have some Oauth2 token configured and I've separate API to generate the OAuth2 token. I don't want the end client to send both token via api gateway request, But want to internally pass the token which is already configured on the backend private rest API, via API Gateway.
For now I've created the proxy and I'm passing both tokens via request.
Note : I don't want to use lambda function.
For Example: You tried to hit the API Gateway Endpoints via postman with all the required parameters, now the request should first go to authenticator endpoint to generate the Oauth2 Token, Once token is generated the token should be passed internally to actual backend private resource to return the response.
Also, I want to know if it's the best approach to pass backend API token internally or we can pass both tokens i.e. Backend API Token and API Gateway authorizer token, via request.
So I'm going to put a public facing API up using AWS API Gateway, where I'll have back end lambda resources that handle the logic for each route (decoupled microservice).
What should I be storing in the JWT? Currently, I've disabled all read attributes, so the token only contains cognito:username, where in my database I will store this as the user id for each user. My understanding is that once a JWT is properly generated, I can use Cognito as an authorizer with API Gateway, and then once the token JWT details are received at the lambda layer, all I need to do is use the cognito:username key to lookup the user profile in my database.
Should I be implementing any other checks in the backend, or is it safe to rely on API gateway to pass the authenticated request?
Thanks!
The cognito API Gateway authorizer will only check if the token has not expired and if it belongs to the correct user pool. But since you will be extracting username from the token itself, you should be safe. Just make sure to configure API Gateway to pass Authorization header to the lambda, it does not do this by default.
I deployed REST API gateway on AWS and configure it as a http pass through to my website. When I open API gateway endpoint in browser, it will show my website which is expected.
Now I am going to authenticate API gateway endpoint with cognito and I have configured it by this instruction: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html
So in API gateway, I added a authorizer and put cognito user pool with it.
what I am expecting is when open the API gateway endpoint in browser, it opens cognitor popup dialog to ask for username and password. But I can open the endpoint to view the website without any authentication. It seems configure the authorizer doesn't have any impact on my API. What did I do wrong?
API gateway can't open cognito popup as you are accessing API and there is no application. You need to get authorization token separately and pass this token in Authorization header while calling API. Process is described in doc link that you have mentioned.
To call any API methods with a user pool enabled, your API clients perform the following tasks:
Use the Amazon Cognito CLI/SDK or API to sign a user in to the chosen user pool, and obtain an identity token or access token.
Use a client-specific framework to call the deployed API Gateway API and supply the appropriate token in the Authorization header.
I have Websocket API with $connect route authorization set to AWS_IAM. Once I connect with Cognito Identity Pool credentials, $connect route lambda integration's context has all Cognito data:
CognitoAuthenticationType=authenticated;
CognitoAuthenticationProvider=cognito-idp.us-west-2.amazonaws.com/us-west-2_xxxxxxx,cognito-idp.us-west-2.amazonaws.com/us-west-2_xxxxx:CognitoSignIn:user_id;
etc
But if I call any other Websocket route on the same connection, that route doesn't have any Cognito data.
What is the right way to get Cognito identity id in routes other then $connect?. I am using Golang SDK for lambda implementation.
I am using the AWS Gateway V2 API, with the WEBSOCKET protocol type, and Cognito (but with different credential handling than you have).
The Gateway V2 API allows the authentication lambda on the $connect route to return a context object along with the authentication response, and those context object values get passed along in the event object that gets sent to the route lambda.
The same context handling may have been added to the Gateway V1 API.
My implementation is in python, but once it settles down then I will likely convert it to Go to match the rest of the project.
In AWS API Gateway,
- We can set up a resource to reqiure API Key for access.
- We can also set up another resource to require Authorization (e.g. JWT token, handled via a lambda function or AWS Cognito).
The question: can we configure a resource to be accessible in either of the above two situations? Currently, if we enable "API Key Required" and "Authorization" simultaneously, the request needs both the API Key and the Authorization. We were hoping for it to pass with only one of the two.
Hack/workaround: Create two copies of the same resource, and authorize each separately, one with API Key and the other one with an authorizer.
Let authorizer generate/map the API key for you
You have a Lambda authorizer return the API key as part of
the authorization response. For more information on the authorization
response, see Output from an Amazon API Gateway Lambda authorizer.
Pros:
Single end-point
API key is more for usage plan than authorization. Keep it that way.
Cons:
Authorizer will run on each request. Which cost money
Authentication, Identification, Authorization are intertwined concepts. As I got more educated on Auth, here is my answer:
API Keys are used for project/application identification and authorization
JWT are used for user authentication and authorization.
API Key is on project/application scope and JWT is on user scope. In other words, API Key only identifies the application, not the user of the application.
Accordingly, it makes sense not to authorize the same endpoint with both JWT and API Key as it would reduce the governance granularity for users and applications. But, if you have a usecase that requires that type of authorization, the suggested workaround could work.