I use Serverless Framework for AWS Serverless Application for creating REST Full API's.
Requirement
Any Users (e.g register, facebook, google) any devices (e.g Mobile or Web) use API that authenticates via JWT token. if the token is valid user can access AWS Lambda function via AWS API Gateway.
What I do
Use AWS Cognito User Pools for Register and Facebook users, for social user I use Identity providers for getting JWT token, that access API.
It's work perfectly fine.
What I need
For mobile users in social login, Facebook gives access token, using that token can I register or login in AWS Cognito User Pools not AWS Cognito Federated Identities ?, After login AWS Cognito User Pools gives JWT token for access AWS lambda function using AWS API gateway.
Why I need
Because of Serverless framework handle authorizer with JWT. Link
Is it right flow?
Related
I've been dealing with this for a while. I want to call an AWS_IAM authenticated Lambda Function URL sending an access token (generated by Cognito User pool) as the Authorization header.
I know I can send access token as a request header for API Gateway HTTP or REST API, but I'm not sure if it works for Lambda Functions too.
I couldn't find any documentation about my problem, just this other about Signature V4 authentication method to invoke Lambda Functions URL: https://docs.aws.amazon.com/lambda/latest/dg/urls-invocation.html
The Security and auth model for Lambda function URLs has two AuthType options:
AWS_IAM – Lambda uses AWS IAM to authenticate and authorize requests based on the IAM principal's identity policy and the function's resource-based policy.
NONE – Lambda doesn't perform any authentication before invoking your function.
The Cognito JWT-based access token is not an AWS IAM session token, so cannot sign the request using SigV4. You have a different option for each of the Lambda function URL AuthType options.
To use AWS_IAM, you can use Amazon Cognito identity pools to deliver temporary, limited-privilege credentials which can SigV4 sign the request.
To use NONE, you will need to verify the JSON web token yourself, preferably with a software framework (such as AWS JWT Verify).
I have an api written in GO that, at the moment, serves an authorization token based on a username and password. (Without MSAL)
I am trying to implement MSAL logins with Microsoft accounts. I have setup my angular frontend to log a user in to an Azure AD app registration. Would it be possible to authenticate that they have successfully logged in to the Azure AD, and serve them one of my tokens (unrelated to msal) from my GO API?
The username that they use to login with MSAL also exists in my backend, the flow would be something like this;
User logs in with MSAL -> my frontend makes a request to golang backend with username -> golang verifies that this username has logged in with MSAL -> backend serves a token for this user
It appears golang integration with MSAL is limited, so not sure how possible this is.
Thanks.
What you can do is acquire an access token for your API in the front-end from Azure AD. For this you will either register the API in Azure AD or use the same app registration. Either way, you should add a scope in the Expose an API page in the registration. Your front-end can then use that scope's id to get the needed token.
Your API can then have an endpoint that validates the access token, and issues the local token. The access token will contain the user's username for example, if you want to map to that. A more robust way would be to map to the user's object id (also in the token) since it is immutable, unlike the user email.
For token validation, you should be able to use a generic JWT validation library. Also remember to check for that scope in the token that you defined to properly authorize the request.
I have front end(https://github.com/Azure-Samples/ms-identity-b2c-javascript-spa) with azure ad b2c. After user login, azure AD return token for SPA. I call a springboot api with this access token.
How my springboot app can validate acess token and get user information from azure ad b2c with this token.
Thanks!
This sample can meet your requirements.
It uses Azure Active Directory B2C to authenticate users into a single page application (SPA). Then return the access token and id token, and then use the access token to call the Spring Boot application. The backend will verify the access token and return user information.
I'm trying to test the Lambda functions that I have created and which sit behind a Cognito login.
My Lambda functions require that cognitoIdentityId is set in order to identitfy the user.
I've been following the Use Postman to Call a REST API tutorial in the Amazon docs. However, this tutorial only shows how to authenticate with IAM credentials and not Cognito User Credentials which means that cognitoIdentityId is set to null.
How does one go about integrating a Cognito User login with Postman?
You should be able to see it with:
console.log(event.requestContext.identity.cognitoIdentityId);
I have a website that uses AWS Cognito (via Amplify) for user login. The API is on a separate stack that deploys with Serverless.
I am trying to have an API endpoint that can access the current logged-in user's Cognito User Pool data (username, email) if it is available. The only way I've been able to achieve this is by using a cognito user pool authorizer via API Gateway.
Example:
functions:
getMe:
handler: /endpoints/myService.get
events:
- http:
path: /myService
method: GET
cors: true
authorizer:
type: COGNITO_USER_POOLS
authorizerId: ${self:custom.apiGatewayAuthorizerId.${self:custom.stage}}
Where authorizerId is set to the 6-character Authorizer ID found on the AWS Console's API Gateway Authorizers page. However, this blocks all traffic that is not authenticated with Cognito. That isn't what I want, since I have a number of services that should be accessible by both anonymous and logged-in users. I just want to personalize the data for users that are logged-in.
Is there any way to allow traffic and pass the cognito user parameters through the API Gateway to Lambda if they are available?
All resources I've been able to find regarding Cognito + API Gateway + Lambda are specifically about restricting access to endpoints and not layering on data to the requests...
Based on comments above you want Anonymous and Logged-in users pass through same gateway end point ?
You can still use the same setup but remove the authentication from API Gateway and take the logic in your application.
If users try to access your services while being logged in AWS amplify will send through the Authorization header with Id token to API Gateway and API Gateway will pass this header as it is to the application. You will have to check inside your application for this Authorization header and crack open Id token passed to find the user claims/attributes and do your logic. For any other user that doesn't have this token can be considered anonymous.
You still need to Validate the token if you find one in request to make sure it's a valid token and extract claims/Attributes thereafter.