AWS Cognito HTTP authentication

I try to set up a test API with AWS API Gateway, Lambda and Cognito so secure the access. Since I am new to the AWS world, I am not sure how can I create a "logged in" post request to the AWS service with for example the request library I guess on the client side I first have to log in via Cognito and the AWS Api and then use the informations I get to create a signed request like it is described here:http://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html ?

If I am on the wrong path, please tell me and point me in the right direction :)

Upvotes: 1

Answers (3)

e-nouri

Reputation: 2626

Preface: I will explain the flow of Google+ integration with Cognito, it goes almost the same for others. I will use node.js (javascript), after that you can have your users authenticated from Google and authorized by IAM and Cognito to access API Gateway.

Cognito is a federated login service, it offers you to sync "configuration" of your mobile/web app. First you have to setup cognito with an identity provider, say Google+ for example. for that:

Create a Google app in your Developer console
Create a pool in cognito and add google as a provider, configure your pool with the policies and the roles (services you want to give your users access to, in this case only API Gateway).
In your web/mobile app, show the user Google+ Signin button, after the user clicks on it, google will call back a callback url with code parameter code, use that token
Use this code to get a Cognito identity for your user, in this case We trust Google:

var params = {
  IdentityPoolId: setting.POOL_ID,
  Logins: {
    'accounts.google.com': google_token  // Coming from Google OAuth2
  }
}

// Get Id from Cognito
cognitoIdentity.getId(params, resolverFunction);

Get IAM temporary credentials forthat Identity IdentityId, your Google authenticated user:

var params = {
  IdentityId: IdentityId,
  Logins: {
    'accounts.google.com': google_token // Coming from Google OAuth2
  }
}
cognitoIdentity.getCredentialsForIdentity(params, resolverFunction)

Your user is now authenticated with Google and have the authorization from the IAM service (through the roles/policies you attached to your Cognito pool).
In your API Gateway, activate the IAM authorization, and use the Credentials you got from point 7.
Use the Accesskey, secretKey and the token to sign every request you make for your API built on top of API Gateway, you can you use this lib: aws-v4-sign-small

Quick notes and headsup:

All of this is Asynchronous actions, so If you are in node js, it is way better to use Promises (ES6 or Bluebird).
Pay super attention to the roles you attached (acces to dynamodb document or S3 file, etc. read more about IAM it is suer helpful and you can do a fine grained authorizations)

Hope it is clear or at least it gives you a direction to start with.

Upvotes: 5

Mason

Reputation: 8846

As Ryan mentioned, the best way to do this is via the API Gateway SDK. The downside to using this stack is that it becomes harder to integrate with off the shelf front-end tools. You can no longer make direct request to your REST end-points, you will want to go through the SDK.

You definitely lose some ease of development because you can't just slap something like ngResource on top of your endpoints and call it a day. You'll have to set up the calls to each of your AWS end points in a service layer yourself.

Upvotes: 0

RyanG

Reputation: 4152

One of the benefits of using API Gateway is that you can automatically generate SDKs for your API, which easily integrate with Cognito credentials. This saves you from the trouble of implementing SigV4 auth yourself.

Here are a couple of simple examples using Cognito credentials with a generated JavaScript SDK:

Cheers, Ryan

Upvotes: 3

AWS Cognito HTTP authentication

Answers (3)

Related Questions