Use of access tokens with AWS Cognito and API Gateway [duplicate] - amazon-web-services

I'm developing web app based on Amazon API Gateway. Now I created Facebook login and successfully logged into website. but when I call another API, everything gone. I think I should pass Cognito token when call API everytime. am I right?
if yes, how to pass Cognito token to API? like header? or another way?
Thanks,

You are using the "Basic Authflow" from cognito identity, which means you will need to get credentials for your users by calling STS's "AssumeRoleWithWebIdentity". Here is some documentation to help: http://docs.aws.amazon.com/cognito/devguide/identity/concepts/authentication-flow/
Once you have credentials, you can instantiate the API Gateway Client:
var client = apigClientFactory.newClient({
accessKey: ACCESS_KEY,
secretKey: SECRET_KEY,
sessionToken: SESSION_TOKEN });
The keys and tokens come from the result of the "AssumeRoleWithWebIdentity" call.
If you have configured your IAM roles, and Authorizations correctly you should be able to access your API.
Here is the documentation describing how to configure the roles & authorization: http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-method-settings.html#how-to-method-settings-callers-console
Also, here is how to enable CORS - http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-cors.html

Related

AWS API Gateway Authorizer using Cognito Identity Pool

The test enviornment for the API Gateway..... Cognito Authorizer.
What value is it expecting ?
I tried to use accessKeyId returned from CognitoIdentityCredentials and it did not work.
Identity Flow
'Testing the accessKeyId gives Error
I also tried _identityId and that did not work as well.
The error for both is "Unauthorized request"
I think your API endpoints are protected by AWS_IAM authorization method. you can confirm it from the Method Execution section of your API endpoint.
If you are using AWS_IAM method, the api end points excepts a signature to be generated using your aws credentials and pass it in the request under the Authorization header.
You can use postman app to test the endpoint, follow these steps
create a new request with the correct http method and the url
under Authroization tab, select AWS Signature
Enter the values for AccessKey, Secret Key
under the Advanced section, enter your region and Session Token
Postman application is very handy to test rest api endpoints. it's even handy to test the api gateway endpoints protected by AWS_IAM authorization method. The postman app generates the signatures required using your AWS credentials and include the generated signature part of http headers of the request.
Note: Also make sure your identity pool's Authenticated role has permission to invoke the api endpoint.
Reference:
https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-use-postman-to-call-api.html
you can download postman application if you dont have - https://www.getpostman.com/downloads/

Use the token response from SAML authentication with User Pools to retrieve AWS Temporary Access keys

How do I use the token response from SAML authentication with User Pools to retrieve AWS Temporary Access keys and Make API Gateway Calls?
I have configured a Cognito User Pool with an associated App client. I have configured Okta as a 3rd Party SAML Identity provider. Using the Amazon hosted login https://[cognito domain name]/login?response_type=token&client_id=[your App client id]&redirect_uri=[your App client redirect URL] I am able to be redirected to my ReactJS application with the #access_token in the header.
I am trying to now user the #access_token to call API gateway. I have been following this guide as well as aws-amplify. To my understanding I need to use the #access_token to get AWS access keys to make the call to API gateway.
I am trying to do this with the following code:
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'us-east-1:xxxxxxx-xxxx-xxxx-xxxx-xxxxxx',
Logins: {
'cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxx': #access_token
}
});
but not sure how this integrates with aws-amplify, and I have not successfully retrieved AWS temporary access keys to make API Gateway calls.
I previously had this working using users in the Cognito User Pool but now I need to include Okta as an identity provider.
I found I needed the #id_token rather than the #access_token to accomplish what I was trying to do. I enabled the #id_token by selecting the following options in my Cognito Pool App Client Settings:
I was then able to follow Cognito hosted UI.

How setup header in Postman for Api Gateway authenticated with Cognito?

I use AWS Identity Pool with Facebook provider to authenticate client. I need to invoke AWS Lambda using Api Gateway. From Cognito, using Facebook token, i received credentials: AccessKeyId, SecretKey and SessionToken.
Using this credentials, how should I setup header request to invoke my Lambda?
Api Gateway setup (test calls my lambda)
I try to call my api, it returns "The security token included in the request is invalid."
Thank you!
JoshuaC and Vijayanath Viswanathan thank you both. Following your suggestion I resolved the issue.
I did the follow steps:
Setup AWS Signature and click on "Update Request"
Add in header "X-Amz-Security-Token" with SessionToken
You have to manually set 'x-amz-security-token' in Postman and pass the token in that header.
Please try this for postman:
http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-use-postman-to-call-api.html
you choose the AWS Signature option in the Authorization drop-down, and fill out the fields using the key and secret, click update. Postman will sign the request for you.
And also make sure the role being assigned to your cognito users has access to invoke apig.

Aws Lambda/Api-Gateway/Cognito working together

Im playing around with Lambda trying to use it to authenticate a web app. Im using lambdAuth as a starter to get things going. https://github.com/danilop/LambdAuth
I want to have an api-gateway service that first authorizes a member, returning the token from cognito. All the subsequent services in api-gateway then somehow needs to accept what was returned from cognito to allow access to the service, and fail without it. Im kinda confused with how to use cognito. Im assuming you restrict your api-gateway services by adding the AWS_IAM tag to the Authorization of your service, but I dont know how to then call that service...?
In the current implementation of LambdAuth, it does all of this client side (in the browser), calling the lambdas directly. It gets the AWS.config.credentials, adds the IdentityId and Logins that came back from cognito to it and then calls the lambda function that requires you to be logged in. How will this work when calling api-gateway instead of lambda. How do i take what came back from cognito, and add it to my service call in order to pass that AWS_IAM authorization?
Any help will be appreciated, or if im missing the boat completely thats also possible...
For the lambda functions handling auth behind API Gateway, you would need them to be unauthorized, as your users have not logged in yet.
For the lambda functions behind API Gateway that ARE authorized, you will need to pass in the credentials you acquired from Cognito when instantiating your client.
It looks like you are doing developer authentication, so when you get a Cognito Token from your backend/lambda functions, in your app you will need to get credentials still:
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'IDENTITY_POOL_ID',
IdentityId: 'IDENTITY_ID_RETURNED_FROM_YOUR_PROVIDER',
Logins: {
'cognito-identity.amazonaws.com': 'TOKEN_RETURNED_FROM_YOUR_API'
}
});
Then, from your credentials you will need the access key, secret key, and session key to instantiate your API Gateway Client:
Instantiating your API Gateway Client:
var client = apigClientFactory.newClient({
accessKey: ACCESS_KEY,
secretKey: SECRET_KEY,
sessionToken: SESSION_TOKEN });

How to pass Cognito token to Amazon API Gateway?

I'm developing web app based on Amazon API Gateway. Now I created Facebook login and successfully logged into website. but when I call another API, everything gone. I think I should pass Cognito token when call API everytime. am I right?
if yes, how to pass Cognito token to API? like header? or another way?
Thanks,
You are using the "Basic Authflow" from cognito identity, which means you will need to get credentials for your users by calling STS's "AssumeRoleWithWebIdentity". Here is some documentation to help: http://docs.aws.amazon.com/cognito/devguide/identity/concepts/authentication-flow/
Once you have credentials, you can instantiate the API Gateway Client:
var client = apigClientFactory.newClient({
accessKey: ACCESS_KEY,
secretKey: SECRET_KEY,
sessionToken: SESSION_TOKEN });
The keys and tokens come from the result of the "AssumeRoleWithWebIdentity" call.
If you have configured your IAM roles, and Authorizations correctly you should be able to access your API.
Here is the documentation describing how to configure the roles & authorization: http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-method-settings.html#how-to-method-settings-callers-console
Also, here is how to enable CORS - http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-cors.html