I have two services, sitting in two separate regions on their own, that have the same authentification solution, with AWS Cognito and each of those instances has federated in their user pool, the same identity provider.
In front of the application, there is an API Gateway, that should grant access to the desired service.
The user could have the following scenario: goes to authenticate in region1, gets his token, and then the API Gateway from region1 will permit his access based on it. Can this token be used to access a service in region2?
Assuming Cognito is configured in region1, if you set the Cognito pool from region1 as authorizer for the API Gateway in region2, that should allow this API Gateway to authenticate users in Cognito. It also works cross-account.
Hopefully the docs help: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-enable-cognito-user-pool.html
Related
I have AWS K8s cluster(EKS) and I want to use AWS API gateway to protect endpoints and separate authorization logic from microservices. I need to have 2 authentication schemas:
Send login/password and get JWT
OAuth2
There is an integration between API gateway and K8s cluster via ALB Ingress Controller. It looks fine. Then I need to authenticate somehow. AWS provides Cognito as a service to manage users and the possibility to have your own identity provider. I know that we can integrate API gateway authorizer with Cognito, but I can't understand the following things:
How to integrate Cognito with already existed LDAP for example? (SAML?)
Can I use my own already created OAuth2 authentication endpoint?
How Can I authenticate with login/password and retrieve JWT using API gateway+Cognito?
1 How to integrate Cognito with already existed LDAP for example? (SAML?)
Make use of Cognito Userpools with SAML IDP.
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp.html
2 Can I use my own already created OAuth2 authentication endpoint?
Yes, use Developer Authenticated Identities for Cognito Identity Pools.
Users that authenticate from the existing user database will be authorized by identity pools through assuming the authenticated IAM role of the identity pool, in that role set the access level to AWS resources.
https://docs.aws.amazon.com/cognito/latest/developerguide/developer-authenticated-identities.html
3 How Can I authenticate with login/password and retrieve JWT using API gateway+Cognito?
Best way to achieve this seeing that API Gateway is being used is to implement a Lambda authorizer in API gateway that uses Cognito Userpools. You will then be able to get the JWT token in that Lambda authorizer, the claims in the authorizer will also be available in the integration request vtl and accessible using $context . i.e.
$context.authorizer.claims.sub
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html
I am currently investigating the use of Federated Identities and from the many examples I have read, it seems to be a way to grant users temporary credentials to various AWS services. For my case, the API Gateway is all that the user will interact with, since the API server is the one making calls to other services like S3 and DynamoDB. I like how permissions are controlled using IAM, but I'm failing to see any other appeals of Federated Identities. User Pools itself already supports password/fb/google/etc sign in, the only downside I see with user pools is that I'll need to do the authorization manually in the API layer. Is there something else I am missing with Federated Identities? Is it worth it given my use of only API Gateways (externally).
It all depends on the way that you will secure your API Gateway endpoint.
If you secure your API using AWS IAM, you'll need a way to convert your authentication tokens in AWS IAM Roles. For that scenario you can use AWS Cognito Idp (not the User Pool) or AWS Federated Identities. The difference is: using AWS IAM Federated Identities you will need to call AWS STS AssumeRoleWithWebIdentity in your frontend code. If you use AWS Cognito Idp this is done for you. . (AWS strongly suggest that you use the Cognito Idp in that scenario)
If you secure your API using AWS Cognito User Pools you don't need to use AWS Federated Identities. You can connect API Gateway directly to AWS Cognito and the service will enforce the controls for you. In that case you'll need to have a Cognito User Pool.
You also have a choice to use Custom Authorizers. In that scenario you will implement a lambda function that will evaluate your request and decide if it is authorized or not. In the same way, you won't need federated identities.
And finally you have the API Key authorization, that you already mentioned that is not applicable to your use case.
I'm not clear on how to send credentials and IAM access to an API gateway. This seems clear:
There is the tutorial on AWS but this is not the way I wanted to access my API.
API Gateway example
As most would know, you put your AWS Key and Secret key in a configuration file that lives in .AWS on the userspace of the user but if you are using a website, for example, you won't have that. Is the idea that anytime a user access the API that you put that user in an anonymous group that has access to the .credentials file?
You are describing IAM authentication for API Gateways. For your of your web app to generate IAM credentials I would recommend using a Cognito Identity Pool Authenticated Role. The Cognito Identity Pool Authenticated Role Exchanges a JWT for the AWS IAM credentialsthat are used in API calls. Your users will first authenticate against the identity pool. The identity pool even allows for unauthenticated users that are using your registered app to generate credentials with permissions which you specify. This guide will show you how to generate these credentials in your code.
Alternatively you can use API Gateway Identity Pool Authorizer or API Gateway Lambda Authorizer to secure your API.
I'm using AWS Gateway as my web API with AWS Lambda as my serverless backend. Lambda functions are only invoked by my Gateway APIs. Through Lambda I call and execute operations on other AWS Services (RDS, SNS, etc.).
I want only my clients to get access to my web APIs. To do so I setup all of my Gateway APIs with AWS_IAM authorization. An unauthenticated client have only policies that let him invoke e.g. the function for login/sign up a user. In comparison an authenticated client have policies that enables him to access more recourses.
The question now is: Because I only want my clients to get access to my Gateway APIs and to do it as secure as possible, is it necessary to create a custom authorizer which checks the validity of tokens?
Neither I did setup a cognito user pool, nor I did setup a external public provider (google, Facebook, openId, amazon, etc.). I'm working with custom developer authenticated identities. All users are saved in AWS RDS. When a user tries to login and gets correctly authenticated through his email and password a open id and a jwt token is returned to the client. This is done by invoking 'getOpenIdTokenForDeveloperIdentity'.
I found some recourses on the web where people created a custom authorizer, but they did always verify the validity of the token by a external provider (google, facebook, auth0, etc.). This member did wrote that you only need to have a external provider when you have "[...]some totally different auth logic[...]" https://stackoverflow.com/a/39407156/5181862. And I don't think this is the case here.
The clients that run the application are iOS and later Android devices, if this information is necessary.
If all the APIs have AWS_IAM authorization, that is already pretty secure. AWS_IAM requires that the client have valid AWS credentials from the same account as the API (your account).
It sounds like you are using Cognito (talking about unauthenticated client policy), in which case your authorization model is secure if implemented correctly.
Problem: I want to authorize my Amazon API Gateway hosted REST API users using Facebook Authentication.
My Understanding: I know Amazon Cognito can be used to authenticate users, calling as Federated Identities. Then, I saw Authenticate API Clients with Amazon Cognito Your User Pool, which authenticates for Cognito User Pool. I also found Use Amazon API Gateway Custom Authorizers, to use from custom authorization. But, I did not find to link API Gateway to authenticate using Cognito Federated Identities (i.e. Facebook here). Can we use same procedure as User Pool for Federated Identities as well or should I use as in Custom Authorizers ?
I'm a bit confused. Any help is greatly appreciated.
Thanks in Advance.
Cognito federated identities and Cognito user pools address different use cases.
With Cognito user pools, you explicitly manage the users which can access your service. This is useful when you want to limit access to your API to a fixed set of users.
With Cognito federated identities, you delegate user management to an identity provider such as Facebook, Google, or Amazon. In that case, anyone with a user identity for your chosen identity provider can access your service. This is useful when you want to make your API broadly available, but still need to associate individual identities with your API users in order to manage per-user state or resources.
To use a federated identity, you set the API Gateway method to use “AWS_IAM” authorization. You use Cognito to create a role and associate it with your Cognito identity pool. You then use the Identity and Access Management (IAM) service to grant this role permission to call your API Gateway method.