Using Cognito for REST API authentication

Question

I'm looking to use API Gateway + Lambda + Cognito User Pools to build a simple REST API.

The API will be used in two ways. The first is to support a basic web app (hosted on CloudFront + S3). Authentication for the web application uses the hosted Cognito sign in / sign up flow and is working fine (with API Gateway setup to use the user pool authenticator).

The second method will be for customers to use the REST API to communicate with the system.

As an example, the client might use the web app to configure a workflow and then use an API to invoke that workflow.

What is the recommended method of authenticating the API for use with backend services?

Traditionally, I'd expect to use an API key + secret token for this purpose. I have no issue creating API keys in the API Gateway interface however I can't see anyway to link that to a specific user, nor can I see any method of specifying a secret token alongside the API key.

And assuming the above is possible, how would I set it up in such a way that I could use the JWT-based approach for the web application and the API key + secret token for customers to use.

EDIT: Additionally, I notice that app clients have an ID and a secret. Are they intended to be used for 3rd API-based-authentication (similar to how other systems make you create an app for API access)? I'm a bit skeptical because there's a limit of 25 per user pool, although it is a soft limit...

Answer 1

I have been searching for an answer to this myself and my searching led me to your question. I will give you my best answer from my research, assuming you want to utilize the well-known key/secret approach. Maybe others can provide a better approach.

Basically, the approach is:

1. Your REST API accounts are just Cognito users in a (possibly separate) user pool
   • The management of API accounts is done from the back end
   • The username and password will be the API key and secret, are administratively created (see the Admin* operations), and can be whatever format you want (within Cognito limits)
2. The REST API is authorized via Cognito JWT tokens
3. API account key and secret are only used to retrieve or refresh tokens
   • This requires the REST API to have a set of endpoints to support token retrieval and refresh using account keys and secrets
   • Based upon how long you set up the Cognito refresh interval, you can require API accounts to submit their key/secret credentials from very often to almost never

Structuring the authorization of your REST API to use Cognito tokens will allow you to integrate the REST API directly with API Gateway's support for Cognito.

I think the biggest headache of this whole thing is that you will have to create the supporting pieces for, e.g., registered users to request API accounts and for the administration of those accounts, as well as some extra helper REST endpoints for token exchange. Additionally, clients will have to keep track of keys/secrets AND token(s) as well as add client-side logic to know when to supply tokens or credentials.

Answer 2

If I understand you correctly, you want to create a "long-lived API key + secret" for programmatic access to your API?

I have exactly this need, and am sadly finding that it appears to not be possible. The longest a key can be valid for is 1 hour. You can have a refresh token that's valid for 10 years. https://docs.aws.amazon.com/cognito/latest/developerguide/limits.html

I'm currently looking for an elegant solution to this. I'd be interested to hear if you ever found a solution, or if you rolled your own.

Answer 3

When i was starting out using API gateway and Congito, i referenced https://github.com/awslabs/aws-serverless-auth-reference-app a lot and found it very helpful in demonstrating the integration between the different AWS components.