cognito OAuth2 flow - amazon-web-services

Where can I find information on how to use the raw HTTPS ,POST/GET, calls for AWS cognito to authenticate a user without using and SDK? I have found a page that says it can be done but there were no links to a REST API or any info on how to format the calls.

Cognito is really three services. Below are the links to the three REST API documents:
Amazon Cognito User Pools Auth API Reference.
Amazon Cognito Federated Identities.
Amazon Cognito Sync.

Related

Is AWS Federated Identities necessary if the only AWS resource a user interacts with is API Gateway?

I am currently investigating the use of Federated Identities and from the many examples I have read, it seems to be a way to grant users temporary credentials to various AWS services. For my case, the API Gateway is all that the user will interact with, since the API server is the one making calls to other services like S3 and DynamoDB. I like how permissions are controlled using IAM, but I'm failing to see any other appeals of Federated Identities. User Pools itself already supports password/fb/google/etc sign in, the only downside I see with user pools is that I'll need to do the authorization manually in the API layer. Is there something else I am missing with Federated Identities? Is it worth it given my use of only API Gateways (externally).
It all depends on the way that you will secure your API Gateway endpoint.
If you secure your API using AWS IAM, you'll need a way to convert your authentication tokens in AWS IAM Roles. For that scenario you can use AWS Cognito Idp (not the User Pool) or AWS Federated Identities. The difference is: using AWS IAM Federated Identities you will need to call AWS STS AssumeRoleWithWebIdentity in your frontend code. If you use AWS Cognito Idp this is done for you. . (AWS strongly suggest that you use the Cognito Idp in that scenario)
If you secure your API using AWS Cognito User Pools you don't need to use AWS Federated Identities. You can connect API Gateway directly to AWS Cognito and the service will enforce the controls for you. In that case you'll need to have a Cognito User Pool.
You also have a choice to use Custom Authorizers. In that scenario you will implement a lambda function that will evaluate your request and decide if it is authorized or not. In the same way, you won't need federated identities.
And finally you have the API Key authorization, that you already mentioned that is not applicable to your use case.

How can I authenticate a backend service against my AWS Api Gateway

I have a lambda function running behind the aws api gateway, that acts as the backend for my website. It uses a cognito authorizer to authenticate the users of my website. This works fine.
Now I need to authenticate a c# backend service against the api that is not running in the cloud has no user interaction. It should just synchronize data.
My initial plan was to configure cognito credentials and log into the cloud via the cognito sdk but this is not possible as the app would then need developer access to my cloud.
I also thought about using the api gateway api keys but I would still need the cognito authentication then.
So how can I authenticate my c# service against my aws api without user interaction being nessecary?
You could use Cognito User Pool Authentication.
This is an OpenID implementation where Cognito issues JSON Web Tokens (JWTs) where the signature of a JWT can be verified with a public endpoint.
In the context of API Gateway, you would use a Lambda as a custom authorizer, but the tokens could be verified in any environment/language with a relevant JWT Library.
More reading: Verifying a JWT issued by Cognito

execute-api with Cognito federated identities from Cognito user pools

I want to execute APIs hosted on AWS API gateway using identity I created from Cognito federated identities with Cognito user pool as provider. Basically option 2 in this blog here Secure API Access with Amazon Cognito Federated Identities, Amazon Cognito User Pools, and Amazon API Gateway
Now I have the federated identity credentials but stuck on how to actually execute the API. There does not seem to be such an API in the AWS JS SDK for API gateway. Does that mean the only way to do this is to create the SigV4 myself & call it like any other HTTP API?
Any suggestions/easier solution?
Thanks.
Finally, did this use AWS sign web library from https://github.com/danieljoos/aws-sign-web. It does the job.

User authentication in microservice application hosted on Amazon WS

I am building web application based on microservice architecture. At this moment I am considering few ways of user authentication flow. I predict following, example user roles:
admin - is able to create content, upload files etc (admin account can be created only by another admin)
unauthorized user - can view content
authorized user - can comment content
Here is, how I was thinking about authentication flow so far:
authentication service - have access to DB with users credentials and permissions
api gateway - retrieve requests from user, check if user is logged in (ie verifies OAuth2 access token with auth service) and transfer flow to other services based on user request (attaching JWT token with some basic user info)
another service - accept only requests from api gateway, and trusts user data from JWT token (does not need to connect with auth service to get information about user).
After deploying some stuff on AWS infrastructure my way of thinking have changed a little bit. As far as I understand AWS products (Lambda - serverless applications and API gateway), I should implement authentication flow as follows:
authentication service - gets request from user, retrieve data from dynamoDB and provide user cookie with JWT signed by private key
any other service - retrieves request with JWT token, verifies signature using public key, and perform some action.
And now the question comes:
How deos AWS Cognito fits here? Is it something useful for me? As far as I understand, Cognito simplifies flow of authenticating users via 3rd parties (facebook, twitter etc. etc.). Does AWS Cognito serves login page, separated from my application, or it is only background/webservices impelementation?
So far I am thinking about Cognito as a replacement for my authentication service - any of my services, should impelemnt Cognito authentication flow provided by SDK from amazon, and my static website would implement JavaScript SDK for user login/register. Am I right?
First of all AWS Cognito consists of two services.
AWS Cognito UserPools (Which is the Identity Provider) - This is the service where you can create the users and manage their credentials with other policies. It can also provide the login screen where we can customize the logo and look and feel so that it can become a plug and play Login service. Then it is also possible to configure the authentication flow (For example to make the service as an OpenIDConnect authentication provider so that it will return a JWT token once user logs in). It is also possible to connect Social Identities (Facebook, Google & etc.) and SAML.
AWS Cognito Federated Identities (Identity Federation to grant users access AWS Services) - This service is capable of accepting AWS Cognito UserPool Token or direct access from other providers where we can federate the access to AWS resources. For example, AWS Cognito Federated Identities can grant temporal access to a User, Authenticated from another provider (e.g; AWS Cognito UserPools) to upload files to S3.
For more details refer the article The Difference Between AWS Cognito UserPools and Federated Identities?.
So coming back to your questions,
So far I am thinking about Cognito as a replacement for my
authentication service?
you can use AWS Cognito UserPools authentication service to issue JWT tokens and validate the token in AWS Lambda Custom Authorizer at your other service endpoints. This is also the place where you can do Authorization.
My static website would implement JavaScript SDK for user
login/register. Am I right?
Not necessarily. If you use AWS Cognito UserPools Hosted UI, you will get Login, Signup, Password Change, Confirmation pages, by default along with auto redirection for Federated Identities (Based on the configurations) such as Facebook, Google or Corporate Credentials like Office365. Although the customization is limited, you should be able to add your own logo and change the background color of these screens. If you plan to implement this by your self, then you can use AWS SDKs to implement these screens.
For more details on the serverless architecture refer Full Stack Serverless Web Apps with AWS.

How to authenticate API Gateway calls with Facebook?

Problem: I want to authorize my Amazon API Gateway hosted REST API users using Facebook Authentication.
My Understanding: I know Amazon Cognito can be used to authenticate users, calling as Federated Identities. Then, I saw Authenticate API Clients with Amazon Cognito Your User Pool, which authenticates for Cognito User Pool. I also found Use Amazon API Gateway Custom Authorizers, to use from custom authorization. But, I did not find to link API Gateway to authenticate using Cognito Federated Identities (i.e. Facebook here). Can we use same procedure as User Pool for Federated Identities as well or should I use as in Custom Authorizers ?
I'm a bit confused. Any help is greatly appreciated.
Thanks in Advance.
Cognito federated identities and Cognito user pools address different use cases.
With Cognito user pools, you explicitly manage the users which can access your service. This is useful when you want to limit access to your API to a fixed set of users.
With Cognito federated identities, you delegate user management to an identity provider such as Facebook, Google, or Amazon. In that case, anyone with a user identity for your chosen identity provider can access your service. This is useful when you want to make your API broadly available, but still need to associate individual identities with your API users in order to manage per-user state or resources.
To use a federated identity, you set the API Gateway method to use “AWS_IAM” authorization. You use Cognito to create a role and associate it with your Cognito identity pool. You then use the Identity and Access Management (IAM) service to grant this role permission to call your API Gateway method.