I have an API that I need to call from my react-native fetch method after v4 signing. The API uses lambda proxy as functions.
My API is set to IAM authentication.
The client side app has username/passwd, fb login and exchanges tokens with identity pool to assume a role that has permission to execute-api, etc.
However, when I test API access using POSTMAN and credentials obtained by a loggedin user with valid tokens after exchanging with the federated identity provider, the result is "the token is invalid".
Please inform what am I missing here.
PS The javascript SDK generated for the API does not work in react-native's environment and needs changes.
Thanks.
Related
I have an application where I get JWT token after login from the cognito pool.The JWt token has user claims.It has a custom claim called ROle.Based on role I want to secure my APIS.For example If I have a user he needs to access only /user APIS and admin needs to access all the APIS.I am using Springboot at backend.So How to secure using Spring Security
since already Coignito is integrated, using API gateway and Cognito user pool authentication, every API can be authenticated and authorised. https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html
I have a lambda function running behind the aws api gateway, that acts as the backend for my website. It uses a cognito authorizer to authenticate the users of my website. This works fine.
Now I need to authenticate a c# backend service against the api that is not running in the cloud has no user interaction. It should just synchronize data.
My initial plan was to configure cognito credentials and log into the cloud via the cognito sdk but this is not possible as the app would then need developer access to my cloud.
I also thought about using the api gateway api keys but I would still need the cognito authentication then.
So how can I authenticate my c# service against my aws api without user interaction being nessecary?
You could use Cognito User Pool Authentication.
This is an OpenID implementation where Cognito issues JSON Web Tokens (JWTs) where the signature of a JWT can be verified with a public endpoint.
In the context of API Gateway, you would use a Lambda as a custom authorizer, but the tokens could be verified in any environment/language with a relevant JWT Library.
More reading: Verifying a JWT issued by Cognito
I am using AWS Cognito User Pools to signup & signin my users(client, iOS). My user's make calls to endpoints on the server running on NodeJS (EC2 Instance). How can I authenticate my users on the server (NodeJS) ?
One way that I see is, to generate a JWT token on the client side and pass it to the server along with the POST request and have it verified.
Is this possible using Cognito Userpools ? or Is there any better alternative ?
First of all AWS Cognito Userpools is able to generate the JWT token(id_token) once authenticated against the Userpool.
There are two ways to generate the JWT token.
Using AWS Cognito Userpools Hosted UI you can can get the id_token. If you enable openid claim and use the implicit grant it will directly redirected to your defined URL from Cognito Login Page. If you use authorization code flow, you need to use backend code with AWS SDK and token endpoint.
You can also use the AWS SDK and implement your custom login page where it generates the id_token using the SDK.
The id_token can be verified at your API using a standard JWT verification library.
I am trying to authenticate requests from xamarin.forms app to aws API Gateway.
Users are authenticated from a user pool and I am able to receive id/access/refresh tokens at the authentication.
I do not understand how to sign requests against the api gateway with the xamarin sdk.
This functionality is supported by the sdk?
Otherwise I could authenticate requests with aws signature v4. Even in this case I can't figure out how to use the tokens I receive from cognito to obtain the session token
from the docs (http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html):
Note
You can use temporary security credentials provided by the AWS Security Token Service (AWS STS) to sign a request. The process is the same as using long-term credentials, but when you add signing information to the query string you must add an additional query parameter for the security token. The parameter name is X-Amz-Security-Token, and the parameter's value is the URI-encoded session token (the string you received from AWS STS when you obtained temporary security credentials).
How can I build the v4 signature headers using Cognito tokens?
The documentation for using Cognito User Pool Authorizer with Gateway API says only that I should:
Call API methods configured with a user pool authorizer, supplying the unexpired token in the Authorization header or another header of
your choosing.
This is echoed by some other texts on the web.
However, when I try using the token, I get an error message that informs about missing Credentials, Signature, Signed Headers params (and the Date header). The token I am using is most likely correct as passes the test in the authorizer's web gui.
My question has two parts:
Does that mean that using the Cognito User Pool Authorizer requires
me to sign each request? Is there some way to configure it to just
accept a valid token?
If I want to keep my HTTP calls to Amazon Gateway simple and
authorize them with just the token (so that they can easily be
performed by hand, from Python backend etc.), am I forced to write a
custom authorizer using Lambda? Or is there some better option?
Cognito User Pool authorizer does not require a signature on the request. You simply have to pass the JWT version of the OpenID Connect identity token produced by Cognito in the authorization header of each request.
result.getIdToken().getJwtToken()
This should answer both your questions.
I think you are getting confused with the Cognito Identity service, which exchanges a valid identity from a public identity provider (Facebook, Amazon, User Pools, etc) for temporary AWS Credentials. You can use the AWS credentials from the Cognito Identity service to sign requests.
If you are only using User Pools, the result of a successful authentication are an OIDC identity token and a JWT access token. API Gateway, when configured with a User Pool authorizer, uses the identity token to authenticate a request.