AWS: Cognito integration with a beta HTTP API in API Gateway?

Question

Amazon Web Services introduced a beta release of HTTP API as a new product on API Gateway early last month. Its authentication is managed using JSON Web Tokens and configured with a form asking for

1. "Name of the Authorizer"
2. "Identity Source... a selection expression that defines the source of the token"
3. "Issuer URL"

I'm not very familiar with authentication protocols at all or what these form fields are asking, and currently the documentation from AWS on how to configure this to work with Cognito is sparse. I'm not totally comfortable configuring this without guidance due to my lack of experience. Another Stack Overflow user seemed to have a similar issue but didn't get an answer.

Answer 1

AWS is using JWT Bearer Grant for this purpose. Draft Specification here.

It allows HTTP API Gateway to accept JWT Tokens in the incoming Authorization HTTP header containing a self-contained JWT access token issued by third-party authorization servers (like Cognito, Azure AD, etc).

API Gateway validates the incoming JWT Token by matching the 'iss' value with the issuer URL to see if it can trust this token.

Try with these values.

• Name of the authorizer: Registered client name in your Cognito User Pool .
• Identity Source: Leave it as default, $request.header.Authorization .
• Issuer URL: Check the metadata URL of your Cognito User Pool (construct the URL in this format :: https://cognito-idp.[region].amazonaws.com/[userPoolId]/.well-known/openid-configuration :: look for a claim named "issuer". Copy its Value and paste it here.
• Audience: Client ID of your Registered client in Cognito

Good Luck!

cheers,
ram

Answer 2

Used @ram answer to get through, and was able to implement this

1.Name of the authorizer:

AWS Cognito > User pools > App Integration > App client settings > App client :

Example : xxxxxx_app_clientWeb

2.Identity Source : $request.header.Authorization

3.Issuer URL

• construct the URL to get Cognito user pool metadata ( https://cognito-idp..amazonaws.com//.well-known/openid-configuration) Example :

https://cognito-idp.us-east-1.amazonaws.com/us-east-1_FcgSrx2141/.well-known/openid-configuration

• open the URL and you will see a json
• take the "issuer" value

Example :

"issuer":"https://cognito-idp.us-east-1.amazonaws.com/us-east-1_FcgSrx2141"

Take: https://cognito-idp.us-east-1.amazonaws.com/us-east-1_FcgSrx2141

4. Audience: AWS Cognito > User pools > App Integration > App client settings > App clientID Example :

ID 9sptej55gii5dfp08ulplc343

Take: 9sptej55gii5dfp08ulplc343

Answer 3

This video explains the whole process and configuration like no other.

https://www.coursera.org/lecture/building-modern-java-applications-on-aws/use-amazon-cognito-to-sign-in-and-call-api-gateway-s226R

I am thankful that the video is public.

Note: (As far as I know) The course is from AWS but offered to the public through different MOOC websites (not just this one).

---

Once you have read & played enough, you will start seeing the gems within the details.

Token for example, is mentioned in many docs, but it can be Access / Id / Refresh Token. If you don't realize about this you can be wasting your time.

For example the "Implicit grant" doesn't provide a Refresh-Token, so you cannot renew your Access-Token and trying to do it is useless.