Are requests made from AWS Console automatically signed? For example - Once an authenticated entity (a user) tries to create an S3 bucket from Console, does the API request get signed automatically similar to SDK/CLI requests Or does the concept of signing an API request (automatically) not apply to the Console at all?
Does the AWS enforcement code check whether the entity is authenticated for each request made via the AWS Console or is the authentication check bypassed because the entity authenticated by logging into the console first before it made the request? - Is this authentication check for every request only for CLI/SDK and HTTP API calls and not for Console requests?
Yes, AWS checks the authentication status of entity for each request. For every request you make on the console you will be redirected to https://us-west-2.signin.aws.amazon.com/oauth?SignatureVersion=4&X-Amz-Algorithm=A...(all the required params here) where the entity's authentication will be validated and gets redirected to respective resource that the entity is trying to access.
Related
I have created a new app client in Cognito, the tokens from the default app client are marked as valid by the API Gateway but not the token from the new App Client.
The API Gateway responds with HTTP 401 - UnAuthorized.
This should work because both the app clients have full permissions to the underlying users stored in Cognito.
I couldn't find any relevant documents explaining this discrepancy.
So, I was linking my AWS User pool to Amazon Alexa Smart Home Skill using this blog https://aws.amazon.com/blogs/compute/amazon-cognito-for-alexa-skills-user-management/.
On successfully linking the skill, Alexa would only send the accessToken in the subsequent API's.
The AWS API Gateway authorizers only check for the ID token and will deem the request invalid if it is given an AccessToken.
Thus, the requests were failing. It has nothing to do with default or non-default app clients.
Using a Cognito custom authorizer seems the best option, will disable API Gateway authorization.
I have an API Gateway/lambda REST API that is being accessed from a react web app. I need to add authentication using google as an identity provider. The app should also keep the user signed in.
I understand when the user first grants access to the (react) client app, it should send the ID token to my backend, which should then verify the token.
Since my architecture is serverless, I assume the verifying should be done in the API Gateway authorizer function, which then grants access to the API on successful verification of the token.
My question is, how do I then create a persistent session? Should I be saving anything to my database about the user? Does the token need to be verified on every API call?
Should the authorizer be checking if the user is already registered or if it's a new user?
It would be easiest to use AWS Cognito for this. Configure a user pool as an authorizer for your API gateway and then configure Google as an identity provider for that user pool. This link might be helpful: https://docs.aws.amazon.com/cognito/latest/developerguide/google.html. Cognito even has a hosted UI if you want to use it for signing users in.
As for your question about persisting user sessions, they usually get persisted in local storage in the browser or in a cookie or some similar mechanism. You can also persist them on the server-side in a database like you were mentioning but that isn't really for authentication purposes.
The user session will contain an access token. The access token is short-lived, meaning you can only use them for an hour usually. After that you have to use a separate refresh token to generate a new access token. And to be extra safe the refresh token itself will expires after a few days (and you have to sign back in).
When using a AWS Cognito attribute from a JWT token in a lambda, do I need to verify the JWT? The Lambda is only triggered by an API Gateway which already verifies the token.
Adding details:
- I'm using Cognito Authorizer in the API Gateway to verify the token.
- The lambda is connected to the API Gateway as proxy.
No you don't need to verify the JWT in backend lambda if protected by a custom lambda authorizer by API Gateway. I would suggest you to use REQUEST based lambda authorizer and attach attributes in the response. So your backend lambda will be able to access attributes in event.requestContext.authorizer['your_attribue'].
This will also enable you to test your Lambda in isolation without needing to get attribute from JWT. You can always mock the event object for unit testing.
I ran into the same conundrum, and was trying to find documented confirmation that, within the Lambda, I wouldn't have to do any validation on my own, and that I can safely rely on the the token / claims being genuine. Unfortunately, nothing in the AWS documentation or the forum posts that I've seen so far has explicitly confirmed this.
But I did find something similar for GCP, and how the API Gateway there validates the JWT. From the GCP documentation:
To authenticate a user, a client application must send a JSON Web
Token (JWT) in the authorization header of the HTTP request to your
backend API. API Gateway validates the token on behalf of your API, so
you don't have to add any code in your API to process the
authentication. However, you do need to configure the API config for
your gateway to support your chosen authentication methods.
API Gateway validates a JWT in a performant way by using the JWT
issuer's JSON Web Key Set (JWKS). The location of the JWKS is
specified in the x-google-jwks_uri field of the gateway's API config.
API Gateway caches the JWKS for five minutes and refreshes it every
five minutes.
So, it seems that within GCP at least, we don't have to do anything, and the API Gateway will handle everything. Even though this is not a confirmation that this is how it works in AWS as well, but the fact that this is how it works in GCP, it gives me some more confidence in assuming that it must be so in AWS too.
I have a Serverless backend that implements AWS_IAM authorizer using the serverless framework.
My client is a React application. I am using AWS Cognito to authenticate users and AWS Federated Identities to retrieve temporary credentials for the user.
The user is assuming an IAM Role that has APIGatewayInvokeFullAccess policy attached. I then sign my request using aws4 and make my request using Axios.
To my understanding, I am doing everything right. But, I am still receiving a 403 error on my client request. I even logged the tokens that are being retrieved to the console and used those tokens in postman. When I use postman, the error message says "The security token included in the request is invalid". I have read every doc and tried every possible solution, but I am still unable to debug this error. Any help at all would be incredible.
I am following this guide for the application flow.
I followed the steps mentioned in this repo and created an API for users and pets.
I am able to get the temporary credentials after login and signup.
But for "/pets" (both POST and GET), I am getting "Internal Server Error".
I tested the functionality of pets API from AWS API Gateway test interface and was able to create and list pets.
Want to know about the parameters and headers that need to be set in Postman for an authorized request.
Based on the error message ("Execution failed due to configuration error: Invalid permissions on Lambda function".), it seems policy attached to your Lambda function is not correct. Make sure you have proper policies configured on Lambda