How to Configure AWS API GATEWAY with cognito user pool authentication? - amazon-web-services

Trying to configure AWS API Gateway with AWS Cognito userpool authentication.
Tried some of the settings provided on aws documentation and trying to check this API from Postman client.
Not able check what setting need to be done at postman side and any specific configuration needs to be done at API and Cognito.
Thanks

Related

Why when I update my API from amplify CLI removes API gateway cognito Authorizer?

I'm developing a React JS App with AWS amplify, using cognito user pool to auth my users. Then I add a cognito authorizer to the endpoints I wan't to protect.
When I send requests to protected endpoints I send the idToken saved in LocalStorage and in the Auth Session, and everything works fine.
But when I update my API from Amplify CLI the Cognito Authorizer is deleted from API gateway console and all my auth stops working.
Anyone knows why this happen? I'm new on AWS and AWS Amplify. Thanks!

AWS API gateway for K8s using Cognito with JWT

I have AWS K8s cluster(EKS) and I want to use AWS API gateway to protect endpoints and separate authorization logic from microservices. I need to have 2 authentication schemas:
Send login/password and get JWT
OAuth2
There is an integration between API gateway and K8s cluster via ALB Ingress Controller. It looks fine. Then I need to authenticate somehow. AWS provides Cognito as a service to manage users and the possibility to have your own identity provider. I know that we can integrate API gateway authorizer with Cognito, but I can't understand the following things:
How to integrate Cognito with already existed LDAP for example? (SAML?)
Can I use my own already created OAuth2 authentication endpoint?
How Can I authenticate with login/password and retrieve JWT using API gateway+Cognito?
1 How to integrate Cognito with already existed LDAP for example? (SAML?)
Make use of Cognito Userpools with SAML IDP.
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp.html
2 Can I use my own already created OAuth2 authentication endpoint?
Yes, use Developer Authenticated Identities for Cognito Identity Pools.
Users that authenticate from the existing user database will be authorized by identity pools through assuming the authenticated IAM role of the identity pool, in that role set the access level to AWS resources.
https://docs.aws.amazon.com/cognito/latest/developerguide/developer-authenticated-identities.html
3 How Can I authenticate with login/password and retrieve JWT using API gateway+Cognito?
Best way to achieve this seeing that API Gateway is being used is to implement a Lambda authorizer in API gateway that uses Cognito Userpools. You will then be able to get the JWT token in that Lambda authorizer, the claims in the authorizer will also be available in the integration request vtl and accessible using $context . i.e.
$context.authorizer.claims.sub
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html

How can I authenticate a backend service against my AWS Api Gateway

I have a lambda function running behind the aws api gateway, that acts as the backend for my website. It uses a cognito authorizer to authenticate the users of my website. This works fine.
Now I need to authenticate a c# backend service against the api that is not running in the cloud has no user interaction. It should just synchronize data.
My initial plan was to configure cognito credentials and log into the cloud via the cognito sdk but this is not possible as the app would then need developer access to my cloud.
I also thought about using the api gateway api keys but I would still need the cognito authentication then.
So how can I authenticate my c# service against my aws api without user interaction being nessecary?
You could use Cognito User Pool Authentication.
This is an OpenID implementation where Cognito issues JSON Web Tokens (JWTs) where the signature of a JWT can be verified with a public endpoint.
In the context of API Gateway, you would use a Lambda as a custom authorizer, but the tokens could be verified in any environment/language with a relevant JWT Library.
More reading: Verifying a JWT issued by Cognito

How to implement API key pair Authentication/Authorization in AWS

We have our rest API deployed on AWS Lambda behind API Gateway. For users that use our web client, they are authenticated using API Gateway Authorizer through JWT token from Cognito.
Now we want to give users the ability to create their own API credentials (API key and secrets) so that they can use the REST APIs directly without using the web client. How can we achieve that?
yes you can do it you can use federated identity and make user to signup and they can get their own api key and secrets. you can also change the flow of the cognito as per your need and make new lambda and add it to cognito as trigger.
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html

AWS API Gateway Authentication using AWS Directory Services (Active Directory)

I'm using AWS API gateway for an API I'm setting up, and I want to be able to use an existing AWS Directory Services Directory (Microsoft AD Enterprise) for authentication.
I'm not sure where to start.
Would I need to use a custom lambda function for authentication, and then write my own ldap authentication code?
I can't find any references to this scenario, of authenticating an API against AWS AD.
Any pointers would be greatly appreciated.
perhaps worth checking how configure AWS Directory Service as Federated Identity Provider in IAM, then how to retrieve access tokens from STS and ultimately configure API Gateway to use Authorization Method: AWS_IAM
for authentication - perhaps worth studying how configure federated identity in cognito
have a look at these slides https://www.slideshare.net/AmazonWebServices/aws-may-webinar-series-48671841