How to pass Cognito token to Amazon API Gateway? - amazon-web-services

I'm developing web app based on Amazon API Gateway. Now I created Facebook login and successfully logged into website. but when I call another API, everything gone. I think I should pass Cognito token when call API everytime. am I right?
if yes, how to pass Cognito token to API? like header? or another way?
Thanks,

You are using the "Basic Authflow" from cognito identity, which means you will need to get credentials for your users by calling STS's "AssumeRoleWithWebIdentity". Here is some documentation to help: http://docs.aws.amazon.com/cognito/devguide/identity/concepts/authentication-flow/
Once you have credentials, you can instantiate the API Gateway Client:
var client = apigClientFactory.newClient({
accessKey: ACCESS_KEY,
secretKey: SECRET_KEY,
sessionToken: SESSION_TOKEN });
The keys and tokens come from the result of the "AssumeRoleWithWebIdentity" call.
If you have configured your IAM roles, and Authorizations correctly you should be able to access your API.
Here is the documentation describing how to configure the roles & authorization: http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-method-settings.html#how-to-method-settings-callers-console
Also, here is how to enable CORS - http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-cors.html

Related

Use the token response from SAML authentication with User Pools to retrieve AWS Temporary Access keys

How do I use the token response from SAML authentication with User Pools to retrieve AWS Temporary Access keys and Make API Gateway Calls?
I have configured a Cognito User Pool with an associated App client. I have configured Okta as a 3rd Party SAML Identity provider. Using the Amazon hosted login https://[cognito domain name]/login?response_type=token&client_id=[your App client id]&redirect_uri=[your App client redirect URL] I am able to be redirected to my ReactJS application with the #access_token in the header.
I am trying to now user the #access_token to call API gateway. I have been following this guide as well as aws-amplify. To my understanding I need to use the #access_token to get AWS access keys to make the call to API gateway.
I am trying to do this with the following code:
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'us-east-1:xxxxxxx-xxxx-xxxx-xxxx-xxxxxx',
Logins: {
'cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxx': #access_token
}
});
but not sure how this integrates with aws-amplify, and I have not successfully retrieved AWS temporary access keys to make API Gateway calls.
I previously had this working using users in the Cognito User Pool but now I need to include Okta as an identity provider.
I found I needed the #id_token rather than the #access_token to accomplish what I was trying to do. I enabled the #id_token by selecting the following options in my Cognito Pool App Client Settings:
I was then able to follow Cognito hosted UI.

Use of access tokens with AWS Cognito and API Gateway [duplicate]

I'm developing web app based on Amazon API Gateway. Now I created Facebook login and successfully logged into website. but when I call another API, everything gone. I think I should pass Cognito token when call API everytime. am I right?
if yes, how to pass Cognito token to API? like header? or another way?
Thanks,
You are using the "Basic Authflow" from cognito identity, which means you will need to get credentials for your users by calling STS's "AssumeRoleWithWebIdentity". Here is some documentation to help: http://docs.aws.amazon.com/cognito/devguide/identity/concepts/authentication-flow/
Once you have credentials, you can instantiate the API Gateway Client:
var client = apigClientFactory.newClient({
accessKey: ACCESS_KEY,
secretKey: SECRET_KEY,
sessionToken: SESSION_TOKEN });
The keys and tokens come from the result of the "AssumeRoleWithWebIdentity" call.
If you have configured your IAM roles, and Authorizations correctly you should be able to access your API.
Here is the documentation describing how to configure the roles & authorization: http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-method-settings.html#how-to-method-settings-callers-console
Also, here is how to enable CORS - http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-cors.html

How setup header in Postman for Api Gateway authenticated with Cognito?

I use AWS Identity Pool with Facebook provider to authenticate client. I need to invoke AWS Lambda using Api Gateway. From Cognito, using Facebook token, i received credentials: AccessKeyId, SecretKey and SessionToken.
Using this credentials, how should I setup header request to invoke my Lambda?
Api Gateway setup (test calls my lambda)
I try to call my api, it returns "The security token included in the request is invalid."
Thank you!
JoshuaC and Vijayanath Viswanathan thank you both. Following your suggestion I resolved the issue.
I did the follow steps:
Setup AWS Signature and click on "Update Request"
Add in header "X-Amz-Security-Token" with SessionToken
You have to manually set 'x-amz-security-token' in Postman and pass the token in that header.
Please try this for postman:
http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-use-postman-to-call-api.html
you choose the AWS Signature option in the Authorization drop-down, and fill out the fields using the key and secret, click update. Postman will sign the request for you.
And also make sure the role being assigned to your cognito users has access to invoke apig.

Sending AWS Cognitio Credentials with a GET request without using a SDK

For a React-Native application I would like to send Cognito credentials with a GET request to my API. I'm following the following approach [1]:
Cognito UserPool + Cognito Identity Pool + API Gateway + AWS_IAM Authorization + Cognito Credentials
At this current stage I can receive Cognito credentials for the associated role as explained here [2]
Now, I would like to use these credentials to access my API. I have set the Authorization Type to AWS_IAM in my API Gateway.
But I have no idea HOW i could send my Cognito credentials with my GET request. I have plowed through the documents, but it seems that it only explains the different SDKs.
let response = await fetch('https://12345.execute-api.us-east-1.amazonaws.com/dev/single', {
headers: {
'Accept': 'application/json',
'Content-Type': 'application/json',
// What to do here??
},
Any pointers and or documentation I could look at?
[1] https://forums.aws.amazon.com/thread.jspa?threadID=230452
[2] http://mobile.awsblog.com/post/TxGNH1AUKDRZDH/Announcing-Your-User-Pool-in-Amazon-Cognito
I do not fully understand what you mean by sending your Cognito credential to API Gateway, but if you want to use the credential you get from Cognito, you need to use that credential to sign the request to API Gateway.
I suggest you can use the signer in AWS react native SDK to sign the request or some 3rd parties library like react-native-aws-signature

Aws Lambda/Api-Gateway/Cognito working together

Im playing around with Lambda trying to use it to authenticate a web app. Im using lambdAuth as a starter to get things going. https://github.com/danilop/LambdAuth
I want to have an api-gateway service that first authorizes a member, returning the token from cognito. All the subsequent services in api-gateway then somehow needs to accept what was returned from cognito to allow access to the service, and fail without it. Im kinda confused with how to use cognito. Im assuming you restrict your api-gateway services by adding the AWS_IAM tag to the Authorization of your service, but I dont know how to then call that service...?
In the current implementation of LambdAuth, it does all of this client side (in the browser), calling the lambdas directly. It gets the AWS.config.credentials, adds the IdentityId and Logins that came back from cognito to it and then calls the lambda function that requires you to be logged in. How will this work when calling api-gateway instead of lambda. How do i take what came back from cognito, and add it to my service call in order to pass that AWS_IAM authorization?
Any help will be appreciated, or if im missing the boat completely thats also possible...
For the lambda functions handling auth behind API Gateway, you would need them to be unauthorized, as your users have not logged in yet.
For the lambda functions behind API Gateway that ARE authorized, you will need to pass in the credentials you acquired from Cognito when instantiating your client.
It looks like you are doing developer authentication, so when you get a Cognito Token from your backend/lambda functions, in your app you will need to get credentials still:
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'IDENTITY_POOL_ID',
IdentityId: 'IDENTITY_ID_RETURNED_FROM_YOUR_PROVIDER',
Logins: {
'cognito-identity.amazonaws.com': 'TOKEN_RETURNED_FROM_YOUR_API'
}
});
Then, from your credentials you will need the access key, secret key, and session key to instantiate your API Gateway Client:
Instantiating your API Gateway Client:
var client = apigClientFactory.newClient({
accessKey: ACCESS_KEY,
secretKey: SECRET_KEY,
sessionToken: SESSION_TOKEN });