I have a Serverless backend that implements AWS_IAM authorizer using the serverless framework.
My client is a React application. I am using AWS Cognito to authenticate users and AWS Federated Identities to retrieve temporary credentials for the user.
The user is assuming an IAM Role that has APIGatewayInvokeFullAccess policy attached. I then sign my request using aws4 and make my request using Axios.
To my understanding, I am doing everything right. But, I am still receiving a 403 error on my client request. I even logged the tokens that are being retrieved to the console and used those tokens in postman. When I use postman, the error message says "The security token included in the request is invalid". I have read every doc and tried every possible solution, but I am still unable to debug this error. Any help at all would be incredible.
I am following this guide for the application flow.
Related
I have created a new app client in Cognito, the tokens from the default app client are marked as valid by the API Gateway but not the token from the new App Client.
The API Gateway responds with HTTP 401 - UnAuthorized.
This should work because both the app clients have full permissions to the underlying users stored in Cognito.
I couldn't find any relevant documents explaining this discrepancy.
So, I was linking my AWS User pool to Amazon Alexa Smart Home Skill using this blog https://aws.amazon.com/blogs/compute/amazon-cognito-for-alexa-skills-user-management/.
On successfully linking the skill, Alexa would only send the accessToken in the subsequent API's.
The AWS API Gateway authorizers only check for the ID token and will deem the request invalid if it is given an AccessToken.
Thus, the requests were failing. It has nothing to do with default or non-default app clients.
Using a Cognito custom authorizer seems the best option, will disable API Gateway authorization.
I have managed to get user OAuth 2.0 access and refresh token on the PHP backend but when I send those tokens to the lambda function they work until the access token is expired. Once the access token is expired, the Google API javascript library tries to fetch new access token from the refresh token and fails because it is not authorized in the javascript origins in Google Developer console. I have no idea what should I put in the authorized javascript origins to allow AWS Lambda Function. Please help me out.
Assuming you are using AWS Cognito to set up a user pool: go to your user pool in the AWS console. Go to APP Integration and create a cognito domain. It will generate a URL for the Cognito domain. Put this in the authorized javascript origins on the Google console.
See the documentation from AWS: https://aws.amazon.com/premiumsupport/knowledge-center/cognito-google-social-identity-provider/
I've managed to setup a third party google login by integrating it with Cognito user pools. On successful sign-on, I am able to access an id_token as a query parameter in the redirect url.
I'm trying to sign REST calls to API gateway using this id_token. I have an authorizer configured on that particular API using Cognito user pools. When I try to test this on the Authorizer UI by setting the Authorization(header) field to this id_token which I received as a query parameter, I keep getting an Unauthorized request error.
Also, I have configured an IAM policy for my user according to this doc: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-user-pool-authorizer-permissions.html
Can someone help me with what I'm doing wrong?
Thanks
Turns out you have to pass the access_token that Cognito returns as part of the authorization header. You can try if your access token works by testing it in the UI offered by the Authorizor interface of API Gateway.
I'm building an API using the serverless framework. I'm trying to authenticate requests coming in through API Gateway by leveraging Cognito (UserPools), and giving each of my users their own authorization token for each API call they make.
Trying to test it with postman I'm not able to make a call and pass authorization. I've tried setting Authorization in the header with the App Client Secret, but I'm just getting "Unauthorized" back. Is there something I'm missing?
You should be using the token rather than the App Client Secret. How are you retrieving the token?
For user sign in authorization, you must be sure you uncheck the option to generate client secret when you are creating a new Client Application inside UserPool.
In your API Gateway you create an authorizer making a reference to you before created UserPool. Inform "authorization" for the header.
Using a AWS third party SDK service (or just their API), signin with a valid user. You will get 2 types of tokens after the login, make sure you keep the right one. I advise you to check the token through the API Gateway authorizer testing option. Note: This step is the most important, as you are isolating the token you get and the authorization service. This way you can track the source of your problem.
I am using AWS Cognito User Pools to signup & signin my users(client, iOS). My user's make calls to endpoints on the server running on NodeJS (EC2 Instance). How can I authenticate my users on the server (NodeJS) ?
One way that I see is, to generate a JWT token on the client side and pass it to the server along with the POST request and have it verified.
Is this possible using Cognito Userpools ? or Is there any better alternative ?
First of all AWS Cognito Userpools is able to generate the JWT token(id_token) once authenticated against the Userpool.
There are two ways to generate the JWT token.
Using AWS Cognito Userpools Hosted UI you can can get the id_token. If you enable openid claim and use the implicit grant it will directly redirected to your defined URL from Cognito Login Page. If you use authorization code flow, you need to use backend code with AWS SDK and token endpoint.
You can also use the AWS SDK and implement your custom login page where it generates the id_token using the SDK.
The id_token can be verified at your API using a standard JWT verification library.