Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

API Gateway authentication with Cognito Federated Identities

I want to use Cognito Federated Entity (allowing signin through Google etc), to allow access to API Gateway for a web javascript application. I managed to get the Cognito's sessionToken through signing-in with Google but I'm stuck on the API Gateway configuration for enabling the session token.

Is there a good tutorial for this entire Federated Entity authentication workflow?

Thanks!

like image 885
Mazzaroth Avatar asked Aug 18 '16 13:08

Mazzaroth


People also ask

What is federated identity Cognito?

PDF. Amazon Cognito Federated Identities is a web service that delivers scoped temporary credentials to mobile devices and other untrusted environments. It uniquely identifies a device and supplies the user with a consistent identity over the lifetime of an application.

How do I authenticate API gateway?

API Gateway supports multiple authentication methods that are suited to different applications and use cases. API Gateway uses the authentication method that you specify in your service configuration to validate incoming requests before passing them to your API backend.


1 Answers

Since you want to invoke APIs via authenticated Cognito identity, first

  1. Amend the auth role of the identitypool to have api execute policy, you could just attach the managed policy "AmazonAPIGatewayInvokeFullAccess" to the respective role
  2. In API gateway under respective method request, add Authorization as "AWS_IAM"
  3. You need to sign the request while using "IAM" auth, explained here https://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html

  4. Instead of #3, you could generate and download the SDK from the stage panel of your API gateway, and make a call to the api via sdk.

Once you obtain the cognito session, you could make a call using the sdk like below

var apigClient = apigClientFactory.newClient({
    accessKey: AWSCognito.config.credentials.accessKeyId,
    secretKey: AWSCognito.config.credentials.secretAccessKey,
    sessionToken: AWSCognito.config.credentials.sessionToken
});

var params = {
    // This is where any modeled request parameters should be added.
    // The key is the parameter name, as it is defined in the API in API Gateway.
};

var body = {};

var additionalParams = {
    // If there are any unmodeled query parameters or headers that must be
    //   sent with the request, add them here.
    headers: {
        'Content-Type': 'application/json'
    },
    queryParams: {}
};

apigClient.<resource><Method>(params, body, additionalParams)
.then(function(result) {
    // 
}).catch(function(err) {
    //
});
like image 189
Partha Avatar answered Oct 07 '22 19:10

Partha