AWS Cognito and API gateway using Lambda authorizer - amazon-web-services

I am trying to create APIs using API gateway and Lambda functions.
Based on the user group ( not the Cognito user groups ), I want to provide access to separate DynamoDB tables.
The approach I am following is, I am creating a separate Cognito user pool for every group of users.
When the user logs in, he is authenticated with the appropriate user pool.
For calling the subsequent APIs, I am planning to make use of Lambda authorizer.
The user will pass the ID token in the HTTP header request and I want to validate this ID token.
Is this the right approach? Or if there is any better approach for implementing this workflow.
Can we make use of Cognito user groups and will it be a secure approach?
I want to strictly separate the tables of one user group from another.
I came across the below link, to verify the ID token.
https://github.com/awslabs/aws-support-tools/blob/master/Cognito/decode-verify-jwt/decode-verify-jwt.js

There are some proven architectures and tools provided by AWS to simplify the above usecase.
There is no need of multiple user pools for the above usecase. This can be handled with a single user pool itself.
A simple architecture can be UI->API gateway->Lambda->DynamoDB
Users in Cognito user pool can be added into groups and set with IAM policies. Then API Gateway can be configured for IAM or cognito authorizer. Each Lambda writen for accessing different DynamoDb tables can be authorised at API Layer.
There is no need for a custom authorizer in this case.
Use AWS Amplify for user authentication and all other communication. Amplify will handle the token passing part by itself with any extra code written. JWT tokens can be read/validated and logically used in the client UI layer as well as in server code (lambda) seemlessly in this approach. The same token is used in API gateway for authorization by default (without any code written).
Cognito user pool and identity pool are enterprise-grade AWS solutions and AWS Amplify compliments the high secure implementation of Sigv4, SRP, etc. protocols which are very tough and complicated to implement using custom code.

Related

3rd Party App Tokens within AppSync with User Pools

after some reading on Using multiple authorization types with AWS AppSync GraphQL APIs and The Complete Guide to User Authentication with the Amplify Framework , one thing I could not figure out is if I can have 3rd Party Application Tokens (e.g. like Twitter API) and use AppSync+Cognito to generate credentials for service-to-service mutations/query?
I already have a user flow via Cognito (type AMAZON_COGNITO_USER_POOLS). I want to centralize service-to-service calls using my AppSync. Limiting the service/token access would be great too (to only X Mutations, instead of the whole schema). Would that be possible?
I'm a bit lost around what are the current limitations.
do I need a Custom Authorizer in Cognito?
should I move everything to IAM credentials?
a Lambda Resolver with manual credentials check + AppSync call?
I can't do it and I need to store these tokens in a different place (DynamoDB, etc), with metadata/some id to have some kind of identity and always use Lambda Resolvers etc.
thoughts and insights are more than welcome,
thanks!
As of today, AppSync does support 4 types of user authentication
API key (no authentication)
IAM credentials
OpenID tokens
Cognito User Pool tokens
There is a request to add custom lambda authorisers as well, but nothing has been announced to date.
In your scenario, I would use Cognito User Pool authentication on the App Sync side and federate Cognito User pool with Twitter OIDC. I know a couple of years ago Twitter was only supporting a custom subset of Oauth2. I'll let you check if they do support OIDC now :-)
But you're not the only asking this question
https://forums.aws.amazon.com/thread.jspa?messageID=881666
User pools for users who register via twitter?

AWS Lambda with Cognito right approach

I would like to make a simple API available to a client. The client uses the output of my API within his application. The API is a pretty simple one. I'm deploying with the serverless framework to AWS Lambda. The functions exposed via the API don't use any other AWS services (like S3 etc).
My question is what kind of authentication to use. I was thinking to try to use cognito for this.
1. Question:
Does this make sense? Or is for this simple use case even an easier option available?
2. Question:
So I get this right. I would first create a user pool. Then create an identity pool based on this user pool?
3. Question:
At the end, my client gets the access token from cognito and attaches is to the header in the request. This gives him then access through API Gateway to my REST API and the lambda function is triggered. But how does the client in the first place can create an "account" doe the user pool? Am I involved i this?
Cognito Authentication does sound like a good option for this use-case. You can have a flow as follows:
Cognito User Pool Authentication -> Token passed as header to the API in API Gateway -> API returns JSON data after successful authentication
[a].
I would like to emphasise that a Cognito User Pool is enough to satisfy this use-case. Cognito User Pools are used for Authentication, and Cognito Identity Pools are used for Authorization. Cognito Identity Pools essentially generates temporary AWS credentials, which are vended by AWS STS. Hence, I do not see where you would require Cognito Identity Pools here.
And to generate a JWT Token, you would need to have the user perform a successful authentication operation. To perform a successful authentication operation that returns tokens, you could have a look at the InitiateAuth API call[b].
References
[a]. https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html
[b]. https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html

Can I create a Cognito-compatible JWT that doesn't reference a specific user?

We have a set of APIs in AWS secured by Cognito JWTs. Authentication of users based on their Cognito IdTokens and authorisation based on Cognito custom properties works great.
Some of our API endpoints are also called by 'service' processes: scheduled processes or maintenance tasks which are run from Lambda functions and are not associated with any 'real' user. We need these processes to be able to generate some sort of authentication/authorisation token which can be validated by the API.
I've considered :
Creating a real 'admin#example.com' Cognito user, storing the password in Secrets Manager, and authenticating as that user in the service functions. Not ideal IMO because it requires managing the existence of a data object as part of the infrastructure, and might also be an availability pinch point.
Generating a different secret token for the service functions, and special-case its validation in the APIs. Not ideal because now we have to manually maintain compatibility to the Cognito JWT signature, plus it's reinventing a security wheel. Also, we either have to share a secret between the service functions and the APIs, or manage an RSA keypair.
What I'd really like to do is have some way for service functions to sign a JWT based on their own IAM credentials, which can be validated in the API by a call to STS. But I don't want to pass a 'real' set of STS credentials from the service function (which has permissions to do other things beyond just invoke the API).
In short: how can I best 'mix' validating Cognito users and Lambda functions in the same API?

Use custom authorization logic with AWS Cognito authentication

We have a Cognito User Pool which contains the users we would like to allow access to, to our API. Our API uses Lambda functions to service the endpoints. The Cognito pool is configured with a custom field roles which is essentially a comma-separated list of roles that user possesses.
Now, first, we want the Cognito authentication to take place (to determine whether the user does belong to our pool and the credentials are valid). Then, we somehow want to run our custom logic to run which will look at the roles field which it will receive through the claims, and then allow or deny the request based on internal business logic.
We tried using a custom authorizer to implement this logic and set it as the authorizer for our endpoints. Then, we enabled Cognito authorization for this authorizer function. The problem is that since Cognito protects API endpoints and not lambda functions per se, the Cognito authorization simply does not run when an API endpoint is hit and the custom authorizer is called.
How do we achieve our objective of using custom logic with Cognito authorization? Any help in this regard would be highly appreciated.
All of the claims in the users' token are available in the context that can be passed to your lambda function if you are using cognito authorizers under $context.authorizer.claims.property Would mapping that claim into your lambda function and checking that the roles is present at the beginning of your lambda work for you?

lightweight rbac for federated identities using aws api gateway with or without cognito

I can't see a good design for claims- or role-based authorization over an AWS PaaS (gateway/lambda) API. Right now, there seems to be a functionality blindspot regardless of how you combine the following:
gateway cognito user pool or custom authorizers
cognito identity pools used for web and user pool identity federation
IAM roles for gateway execution authorization
Specifically, the blindspot seems to be associating cognito identities with roles (more varied than keys and suffixes in dynamo and s3) based on user attributes in a way that:
doesn't require a custom endpoint in your API to vend IAM temp creds (and consequently using something other than the supplied and/or generated SDKs)
doesn't require authorization logic in every lambda function
doesn't require persisting the above mapping in dynamo, cognito sync, etc
doesn't layer or sequence a separate flow for authorization (e.g. separate token)
lets your users sign in using external idps
I assume the following is impossible or excessively hacky:
cognito user pools that overlap or moving users between pools to represent the configuration of their roles
directly getting cognito user pool attributes from congito identity pool identity tokens (GetOpenIdToken)
having a readily-modifiable client pick its own privileges (e.g. choose an IAM role)
running every request as dry-run in a custom authorizer or otherwise shadow-implementing IAM
securing actually role-specific IAM roles with some kind of shared secret, etc.
Here are some examples and their shortcomings:
A user logs in with user pool credentials and attempts to execute a gateway api method.
A cognito authorizer over gateway api methods would let me say autheticated-therefore-authorized and map attributes/claims into the integration request, still leaving it to the lambda function to implement actual authorization logic.
A custom authorizer won't automatically validate and parse a user pool token, but I could still do so and conditionally construct a role.
A user logs in with google+ credentials, having a user pool identity as well, and attempts to execute a gateway api method.
A cognito authorizer is useless.
A custom authorizer won't automatically validate and parse the google+ token, but I could still do so and conditionally construct a role. Only now I'd need to map this to a user pool identity manually. Cognito adds no value at all here -- just an awkward document database as a service.
A user logs in with google+ credentials, having a user pool identity as well, then gets an identity pool token (GetOpenIdToken) and attempts to execute a gateway api method.
A cognito authorizer is useless.
A custom authorizer won't automatically validate and parse the cognito identity token, but I could still do so and conditionally construct a role. I still need to do manual mapping because I won't get the user pool attributes with this intermediate token.
A user logs in with google+ credentials, having a user pool identity as well, then gets temp creds (GetCredentialsForIdentity) and attempts to execute a gateway api method.
The default authorizer is useless. You just get authenticated-therefore-authorized.
A cognito authorizer is useless.
A custom authorizer is useless.
The easiest solutions to most of these problems are in User Pools (i.e. using Lambda hooks in the auth flow to check privileges, attributes can be retrieved from the token an authentication generates...etc.), however your requirement that users can sign in with external providers is not currently supported.
From that, you can potentially use Cognito federated identities with user pools and external providers, but that brings up some awkwardness. Building in the privilege authentication into the user pools lambda hooks when multiple providers are available is awkward and forces the usage of user pools with other providers.
From that, I would say mapping privileges to identity id in some external storage is the way to go, using some external hook (Lambda?) with that id to assume a role and get credentials, but you mentioned you wouldn't want to do that.
I would agree that what you're aiming for is not absolutely possible as is. My recommendation might be to get in touch with an SA and see if they can help you design a complex solution that fulfills your requirements.