How do I call API gateway with postman with cognito?
Tried to use AWS Signature in postman and this did not work.
https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-use-postman-to-call-api.html
I am using hosted UI in cognito if that makes a difference. I see that there is an Oauth 2.0 option in postman but dont know how to fill out the fields.
So my api works when I pass Authorization in the header with the id_token. Without the id_token is there any other way?
thanks
If you are using a Cognito user pool and have your API Gateway authorizer set to user pool, then you need to pass either the id or access token in the Authorization header.
If you are using a Cognito identity pool and have your API Gateway authorizer set to AWS_IAM you need to use AWS signatures
Related
In API gateway you can setup a Cognito Authorizer that references a Cognito User Pool for authentication. For verification, API Gateway expects the Cognito User Pool JWT token to be set in the Authorization header.
Using 'aws-sdk' and 'amazon-cognito-identity-js' NPM packages, how can I create guest/unauthenticated users and retrieve the JWT token to pass to API Gateway? By Guest/unauthenticated, I mean not even having a username or email. Or, is this not possible with the current APIs?
Amplify (built on top of Cognito) appears to have something similar: https://docs.amplify.aws/sdk/auth/guest-access/q/platform/android
Thoughts?
Cognito User Pool is an authentication provider. This is separate from unauthenticated access that is provided by Identity pool. You cannot use the default cognito authorizer in API Gateway for validating the token. However, you can use a custom lambda authorizer that will take token and confirm it is valid for your identity pool.
I've managed to setup a third party google login by integrating it with Cognito user pools. On successful sign-on, I am able to access an id_token as a query parameter in the redirect url.
I'm trying to sign REST calls to API gateway using this id_token. I have an authorizer configured on that particular API using Cognito user pools. When I try to test this on the Authorizer UI by setting the Authorization(header) field to this id_token which I received as a query parameter, I keep getting an Unauthorized request error.
Also, I have configured an IAM policy for my user according to this doc: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-user-pool-authorizer-permissions.html
Can someone help me with what I'm doing wrong?
Thanks
Turns out you have to pass the access_token that Cognito returns as part of the authorization header. You can try if your access token works by testing it in the UI offered by the Authorizor interface of API Gateway.
We have our rest API deployed on AWS Lambda behind API Gateway. For users that use our web client, they are authenticated using API Gateway Authorizer through JWT token from Cognito.
Now we want to give users the ability to create their own API credentials (API key and secrets) so that they can use the REST APIs directly without using the web client. How can we achieve that?
yes you can do it you can use federated identity and make user to signup and they can get their own api key and secrets. you can also change the flow of the cognito as per your need and make new lambda and add it to cognito as trigger.
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html
I'm trying to setup security on an API using Cognito user pools. I'm getting back 401 Unauthorized.
The API and User Pools are existing, and I've been using the user pool to log into an application. I'm now trying to secure the API calls.
I created an authorizer on the API,
Then I added the authorizer to one GET method in the API
Then finally I tried to test the API in Postman. I'm using the AWS Signature authorization.
Calling the method returns 401. The method functioned before with no security, and turning off the authorizer makes it work again (without security).
Any ideas what step I'm missing?
The AWS Signature authorization is different than a Custom Authorizer.
The AWS Signature authorization (Postman) requests an AWS AccessKey and SecretKey to authenticate requests. This corresponds to IAM Authentication in API Gateway. The AccessKey and SecretKey are received through IAM.
A Custom Authorizer takes a JWT called #id_token that is issued by your specified Cognito User Pool. To test the validity of the token, go to your custom authorizer and click test, and then copy and paste the token into the text area.
The way to perform the Custom Authorizer authentication is this:
obtain an #id_token from the your user pool by following AWS Configuration
Configure API gateway with a Cognito custom Authorizer with your user pool as the source (Seems that you have done correctly)
Use OAuth 2.0 as Authorization in postman, with your #id_token as the Access Token, Or add the header: Authorization with the value Bearer and the #id_token
Drop a comment if you want me to add the AWS Signature Auth Flow.
For authorization using Postman when using Cognito user pools, chose No Auth. Then add a header Authorization (the value in token source field of your authorizer) and copy the id_token into that header value. I did not have to add anything else besides that to make it work (i.e. no bearer).
I'm trying to use AWS custom authorizer in API Gateway. If I understood correctly, then I should authenticate user in custom authorizer. I don't know who sends the request. I should detect the user by token using my own services. Right?
There are multiple authorizer options available
IAM authorizer
Cognito authorizer
Custom authorizer
If you use STS issued token to grant access to your AWS resources then you can use IAM.
Similarly Cognito authorizer is to authenticate the Cognito Userpools id token.
If you have your own authentication scheme or need customize authentication mechanism, you can use Custom authorizer.
Just wanted to add my 2 cents here, here is the flow :
Once the bearer token (you can use JWT as well), is issued to the
client (i.e. mobile app/web app), the client invokes REST API created, configured and deployed through API Gateway.
The custom authorizer, which is a lambda function written in Java
(you can implement it using NodeJS, C#, Python), would need to verify if the bearer token is valid. In my case, Bearer token is hashed using the SHA-512 algorithm. So we basically match if the token
stored in DB and the token presented by the client matche.
If the token matches then, custom authorizer returns IAM policy Allow but
it token is not correct then it returns IAM policy Deny,
The API gateway reacts based on the response from custom authorizer, if the policy is allow it passthrough the call to backend else it would return HTTP code 403.
Hope it would help.