How to Verify AWS Cognito user on Server (running on nodeJS) - amazon-web-services

I am using AWS Cognito User Pools to signup & signin my users(client, iOS). My user's make calls to endpoints on the server running on NodeJS (EC2 Instance). How can I authenticate my users on the server (NodeJS) ?
One way that I see is, to generate a JWT token on the client side and pass it to the server along with the POST request and have it verified.
Is this possible using Cognito Userpools ? or Is there any better alternative ?

First of all AWS Cognito Userpools is able to generate the JWT token(id_token) once authenticated against the Userpool.
There are two ways to generate the JWT token.
Using AWS Cognito Userpools Hosted UI you can can get the id_token. If you enable openid claim and use the implicit grant it will directly redirected to your defined URL from Cognito Login Page. If you use authorization code flow, you need to use backend code with AWS SDK and token endpoint.
You can also use the AWS SDK and implement your custom login page where it generates the id_token using the SDK.
The id_token can be verified at your API using a standard JWT verification library.

Related

Amazon Cognito - Can you add a custom claim to the access_token when using Client Credentials Flow

I'm using Amazon Cognito as an authorization server. I managed to setup everything and get an access_token using Client Credentials but now i need to add a custom claim to the token. is it possible?
After contacting AWS Support, they confirmed that Amazon Cognito doesn't support adding custom claims to the access token using Client Credentials Flow.

I have a AWS cognito JWT token which has custom claim role.How to secure my APIs using springboot based on the roles at backend

I have an application where I get JWT token after login from the cognito pool.The JWt token has user claims.It has a custom claim called ROle.Based on role I want to secure my APIS.For example If I have a user he needs to access only /user APIS and admin needs to access all the APIS.I am using Springboot at backend.So How to secure using Spring Security
since already Coignito is integrated, using API gateway and Cognito user pool authentication, every API can be authenticated and authorised. https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html

How can I authenticate a backend service against my AWS Api Gateway

I have a lambda function running behind the aws api gateway, that acts as the backend for my website. It uses a cognito authorizer to authenticate the users of my website. This works fine.
Now I need to authenticate a c# backend service against the api that is not running in the cloud has no user interaction. It should just synchronize data.
My initial plan was to configure cognito credentials and log into the cloud via the cognito sdk but this is not possible as the app would then need developer access to my cloud.
I also thought about using the api gateway api keys but I would still need the cognito authentication then.
So how can I authenticate my c# service against my aws api without user interaction being nessecary?
You could use Cognito User Pool Authentication.
This is an OpenID implementation where Cognito issues JSON Web Tokens (JWTs) where the signature of a JWT can be verified with a public endpoint.
In the context of API Gateway, you would use a Lambda as a custom authorizer, but the tokens could be verified in any environment/language with a relevant JWT Library.
More reading: Verifying a JWT issued by Cognito

Use the token response from SAML authentication with User Pools to retrieve AWS Temporary Access keys

How do I use the token response from SAML authentication with User Pools to retrieve AWS Temporary Access keys and Make API Gateway Calls?
I have configured a Cognito User Pool with an associated App client. I have configured Okta as a 3rd Party SAML Identity provider. Using the Amazon hosted login https://[cognito domain name]/login?response_type=token&client_id=[your App client id]&redirect_uri=[your App client redirect URL] I am able to be redirected to my ReactJS application with the #access_token in the header.
I am trying to now user the #access_token to call API gateway. I have been following this guide as well as aws-amplify. To my understanding I need to use the #access_token to get AWS access keys to make the call to API gateway.
I am trying to do this with the following code:
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'us-east-1:xxxxxxx-xxxx-xxxx-xxxx-xxxxxx',
Logins: {
'cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxx': #access_token
}
});
but not sure how this integrates with aws-amplify, and I have not successfully retrieved AWS temporary access keys to make API Gateway calls.
I previously had this working using users in the Cognito User Pool but now I need to include Okta as an identity provider.
I found I needed the #id_token rather than the #access_token to accomplish what I was trying to do. I enabled the #id_token by selecting the following options in my Cognito Pool App Client Settings:
I was then able to follow Cognito hosted UI.

Does Cognito User Pool Authorizer in Gateway API require all requests to be signed?

The documentation for using Cognito User Pool Authorizer with Gateway API says only that I should:
Call API methods configured with a user pool authorizer, supplying the unexpired token in the Authorization header or another header of
your choosing.
This is echoed by some other texts on the web.
However, when I try using the token, I get an error message that informs about missing Credentials, Signature, Signed Headers params (and the Date header). The token I am using is most likely correct as passes the test in the authorizer's web gui.
My question has two parts:
Does that mean that using the Cognito User Pool Authorizer requires
me to sign each request? Is there some way to configure it to just
accept a valid token?
If I want to keep my HTTP calls to Amazon Gateway simple and
authorize them with just the token (so that they can easily be
performed by hand, from Python backend etc.), am I forced to write a
custom authorizer using Lambda? Or is there some better option?
Cognito User Pool authorizer does not require a signature on the request. You simply have to pass the JWT version of the OpenID Connect identity token produced by Cognito in the authorization header of each request.
result.getIdToken().getJwtToken()
This should answer both your questions.
I think you are getting confused with the Cognito Identity service, which exchanges a valid identity from a public identity provider (Facebook, Amazon, User Pools, etc) for temporary AWS Credentials. You can use the AWS credentials from the Cognito Identity service to sign requests.
If you are only using User Pools, the result of a successful authentication are an OIDC identity token and a JWT access token. API Gateway, when configured with a User Pool authorizer, uses the identity token to authenticate a request.