I can use a UserPool Authorizer or an IAM Authorizer for Lambdas when exposing a REST endpoint to authenticated Cognito users. If I ultimately want to set up federated identities would what would I use as a unique user ID: The Userpool SUB or the Identity Pool Identity ID?
I see that I can federate both through the Userpool or the Identity Pool.
Related
I've been dealing with this for a while. I want to call an AWS_IAM authenticated Lambda Function URL sending an access token (generated by Cognito User pool) as the Authorization header.
I know I can send access token as a request header for API Gateway HTTP or REST API, but I'm not sure if it works for Lambda Functions too.
I couldn't find any documentation about my problem, just this other about Signature V4 authentication method to invoke Lambda Functions URL: https://docs.aws.amazon.com/lambda/latest/dg/urls-invocation.html
The Security and auth model for Lambda function URLs has two AuthType options:
AWS_IAM – Lambda uses AWS IAM to authenticate and authorize requests based on the IAM principal's identity policy and the function's resource-based policy.
NONE – Lambda doesn't perform any authentication before invoking your function.
The Cognito JWT-based access token is not an AWS IAM session token, so cannot sign the request using SigV4. You have a different option for each of the Lambda function URL AuthType options.
To use AWS_IAM, you can use Amazon Cognito identity pools to deliver temporary, limited-privilege credentials which can SigV4 sign the request.
To use NONE, you will need to verify the JSON web token yourself, preferably with a software framework (such as AWS JWT Verify).
We have a Cognito User Pool which is connected to an AppSync API. In the graphql.schema we limit which users can access which endpoints like this:
type Mutation {
createProject(projectInput: CreateProjectInput!): Project!
#aws_auth(cognito_groups: ["StandardUsers"])
}
The AppSync endpoints fire Lambdas which get the details of the Cognito user used to authenticate like this:
const cognitoIdentity: AppSyncIdentityCognito = event.identity as AppSyncIdentityCognito
const user: User = {
id: cognitoIdentity.sub,
username: cognitoIdentity.username,
groups: cognitoIdentity.groups
}
We're authenticating using the Amplify JS library.
The user can happily hit the endpoint when part of the Cognito group, but if I remove them (via the AWS console) they can continue to hit the endpoint!!
If they logout and back in they are then denied access to the endpoint.
How can have an immediate "kill switch" to ensure users no longer have these privileges?
Cognito is a stateless authentication method by design. Once a user logs in they are given tokens for that particular session. So until these tokens expire they get all the privileges defined in these tokens. You cannot manually expire these tokens once issued, but you can blacklist them using your own implementation.
Your requirement is for stateful authentication. You will need to implement this yourself using a database and custom authorizers that check for "blacklisted" tokens.
I use Serverless Framework for AWS Serverless Application for creating REST Full API's.
Requirement
Any Users (e.g register, facebook, google) any devices (e.g Mobile or Web) use API that authenticates via JWT token. if the token is valid user can access AWS Lambda function via AWS API Gateway.
What I do
Use AWS Cognito User Pools for Register and Facebook users, for social user I use Identity providers for getting JWT token, that access API.
It's work perfectly fine.
What I need
For mobile users in social login, Facebook gives access token, using that token can I register or login in AWS Cognito User Pools not AWS Cognito Federated Identities ?, After login AWS Cognito User Pools gives JWT token for access AWS lambda function using AWS API gateway.
Why I need
Because of Serverless framework handle authorizer with JWT. Link
Is it right flow?
These are the calls I'm making to get the access token from AWS Cognito. I am implementing the Developer Authenticated Identities workflow
where I authenticate the user on my backend. My code:
cognitoIndentityClient = Aws::CognitoIdentity::Client.new(
region: 'us-east-1',
credentials: permanent_aws_creds,
)
developerProviderName = '1.Got From Developer Provider Name under Custom in Cognito Console'
identityPoolId = 'us-east-1:Xxxxx'
resp = cognitoIndentityClient.get_open_id_token_for_developer_identity(
identity_pool_id: identityPoolId,
logins: {
developerProviderName => UniqueIdentityTokenProviderFromMYBackend
}
)
resp2 = cognitoIndentityClient.get_credentials_for_identity(
{
identity_id: resp['identity_id'],
logins: {
'cognito-identity.amazonaws.com' => resp['token']
}
}
)
My Question:
1. How can I create a user in the user pool (enable MFA and all that) after the above calls? I can see that Identities are created in my console but I'm lost after that.
Can you check that in identity pool configuration in custom tab of Authentication providers section you have the developer provider name set and it matches with the value in your code above? This might be one possible reason for the error.
To answer your other question. You do not need to implement developer authenticated identities to use the 'User Pools' feature of Cognito. These are two independent features. Cognito developer authenticated identities allows you to federate your own authentication system with Cognito identity. If you want Cognito to manage your users and allow username and password based sign-up, sign-ins and MFA for you, 'User Pools' feature will be correct choice. The user managed by User pools can also federate with Cognito identity.
I have a website that uses AWS Cognito (via Amplify) for user login. The API is on a separate stack that deploys with Serverless.
I am trying to have an API endpoint that can access the current logged-in user's Cognito User Pool data (username, email) if it is available. The only way I've been able to achieve this is by using a cognito user pool authorizer via API Gateway.
Example:
functions:
getMe:
handler: /endpoints/myService.get
events:
- http:
path: /myService
method: GET
cors: true
authorizer:
type: COGNITO_USER_POOLS
authorizerId: ${self:custom.apiGatewayAuthorizerId.${self:custom.stage}}
Where authorizerId is set to the 6-character Authorizer ID found on the AWS Console's API Gateway Authorizers page. However, this blocks all traffic that is not authenticated with Cognito. That isn't what I want, since I have a number of services that should be accessible by both anonymous and logged-in users. I just want to personalize the data for users that are logged-in.
Is there any way to allow traffic and pass the cognito user parameters through the API Gateway to Lambda if they are available?
All resources I've been able to find regarding Cognito + API Gateway + Lambda are specifically about restricting access to endpoints and not layering on data to the requests...
Based on comments above you want Anonymous and Logged-in users pass through same gateway end point ?
You can still use the same setup but remove the authentication from API Gateway and take the logic in your application.
If users try to access your services while being logged in AWS amplify will send through the Authorization header with Id token to API Gateway and API Gateway will pass this header as it is to the application. You will have to check inside your application for this Authorization header and crack open Id token passed to find the user claims/attributes and do your logic. For any other user that doesn't have this token can be considered anonymous.
You still need to Validate the token if you find one in request to make sure it's a valid token and extract claims/Attributes thereafter.