Secure API Gateway using Cognito Authorizer #aws #gateway #authorizer #authorization Secure AWS API Gateway using Lambda Authorizer: • Secure API Gateway usi...
Hello, nice video bro.. I did all the steps in this video but im im getting the error:"Unauthorized" , i've did all steps, one by one, but im always getting: "Unauthorized" when i try to acces to API endpoint via access_token (Postman) .. the token seems to be ok, i've checked token string integrity (white spaces, or special chars).. any sugesstions? maybe a permission that im missing? please help me, thanks
Hi @Nestor, Theoretically it should work, if you follow the step. There is no specific permission for this scenario. Could you check the postman `key` you used? As example, the key should be match with the name you mentioned in the lambda authoriser. Please double check this point ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-9crTLAT_4uY.html Still if you have a issue, please drop a email, I will contact you. johnsonp908060@gmail.com
Hi, in my case I had to click Edit in Authorizer again and (the second time id(?) appeared next to user pool name) and it started working, also in the tutorial, initially there was no id next to the user pool in Authorizer, in the next shot it already appeared ;)
Thanks this is perfect for what I need to do which is setting up "database" + user login + a way to auto update my client using the gateway to link to a resource that I can change at anytime.
Video is nice and clearly explained. I appreciated the Cognito Authorizer tests I've never used before. Thanks. Nevertheless I would add that "Implicit Grant" is not mandatory. Everything works fine also with Authorization Code that I am using to satisfy a requirements.
this was great, thank you! however i have a question. i have this API connected to my lambda function as a trigger, and i have a slack app which in event subscription, takes in an endpoint (in this case it is my newly authorized endpoint configured in my lambda function). however, because the API is protected, slack won't be able to verify it or access it. how can i enable slack to access this? thank you again for the video!
Hi balawal, Thanks for the comment. When you call the API, you need to pass the api-keys as we did on postman request. Do you get any errors in slack? You can enable logs on API gateway to see if the slack request is hitting or not
Thank you for this demo. I have followed all of the steps in the video but am getting a 403 error when calling the REST API from Swift. I have tried everything I can think of as to why I am getting the error. Any suggestions or thoughts?
Hi Duhkham, Did you use `access_token` not the `id_token` ? Please first try with Postman to check that is working. When you test the authorizer in AWS, you nee to use 'id_token` and test with Postman, then you need to use `access_token`. Let me know hot it goes.
@@guitaravind Looks like the value you are passing in the Postman is not in a valid format. Just open "headers" tab and add new key and value. The key will be describe as below. The value will be the "access_token" Could you please check the "token source" name match with the "header key" in postman? As per this video, it should be "auth-token". If you change the name of "token source" , the same name should be used in Postman.
Hey, I've one quick question. Api requests from localhost:3000 work fine without the cognito authorizer. But once I add it, I get a CORS error: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. The requests still work fine when done with Postman, even with the authorizer in place. Do you know how I may be able to fix this? Thank you!
Hi @carlos, Do you mean that you call the api gateway without any authentication and it works? > >> Api requests from localhost:3000 work fine without the cognito authorizer.
@@lovetocode4486 I ultimately checked headers in the Lambda response. I then deleted the current Options method and generated it again by enabling cors. I also didn't add an authorizer to the Options method, as I understand it does not need to have one. It then started working. Not sure which of these steps did it. But I'm ready to move on for now. lol Thank you! Reply
If I want any production level apiS using apigatway need to be used by different client which further server their users using our API resources, in that case what approach should I take ? Do I need to secure gateway with API key ? which is not recommended because here is a expire token as well , we cant provide them new token every time or they need to implement coginito login from their backed side and opt to token from response . basically Idea is We have clients and in our DB we called it a company that company can have many users who uses our API or on a comapny can use our API and serve their users in that case I want allocate tken for comapny called secratekey using which they can access endpoints but to make it more secure we use coginot how can we achieve that or what should we do to achieve same . TIA
Hi @manishmarx, As I understood your question, The API Key alone is not good enough for authentication. Usually people use use combination of both API KEY alone with Lambda authoriser or Cognito Authoriser. With the authoriser you can authorise who can access the resources. API key can be used to throttle/limit requests per client. The Cognito authorise can be integrate with ADFS, OKTA like other Identity providers too. Simply if you want more fine tune authentication/authorisation, go ahead with a solution which have both API key + Authoriser
Hi Ashish, I am not suite sure your question. BTW as I understood, you can use Lambda Authoriser to add any custom logic. So you can use client credentials with Lambda Authoriser. This may helps ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-rRQbVJhlpC4.html Let me know how it goes.
HI. thanks for the video. In my lambda i want to read this token and get corresponding email id or username. Because i want to do some dynamic processing basis these. Can you tell how can this token be further used to scrap the email/username in Lambda?
Hi Mate, The Cognito token is a JWT token and it has three parts which are separated by dot (.). The whole token is encodes with base64. It is NOT ENCRYPTED. You just need to decode the second part which has the payload using Base64 decoder. You can find username, email etc information in the payload. I haven't tested this. But theoretically this should work. You can simply check this website to check the payload has what you are looking for. jwt.io/ Hope this helps. Let me know how this goes. Thanks
@@lovetocode4486 I understand jwt token has the username email etc but the issue is - in lambda 'event' param is coming empty. If i print(event) in lambda its empty dictionary. So i am not sure how this token can be fetched in lambda
Hi Manish, Ok, got your question. If the token is not passed to the lambda, then you have to manually pass the token using template mapping. You can update the "Integration request" -> "Mapping templates" -> "Add mapping Template". This way, you can pass any headers from client to integration point. I have created a video on how to use "Template". Sure, this helps you. Please have a look. ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-o98qYUFSQbc.html Thanks
@@lovetocode4486 Wow!! This was truly helpful. I was able to achieve what I want. Thanks a lot!! There are few observations : The tokens generated by CLI via admin-initiate-auth were not working. Not sure why. Access_token generated by UI browser as you have shown was working in postman. As per some documentation I read, you should use access_token for authorization and id_token to get values like email , username etc for further authentication in lambda. I passed access_token from my postman as authorization and id_token as separate header. Finally it worked!!
Great mate. Yes, the Id-token holds user information. Idtoken was introduced by OpenIdConnect. oAuth has access token. Glad that you made it work. Thanks. 👍👍👍
Hi @jrleriche , For this tutorial, there is nothing much in terms of code. It has sample lambda function which returns a string. I pasted the sample lambda code for your reference. Hopefully you will like the "Lambda Authoriser" which has more code. Lambda authoriser video: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-rRQbVJhlpC4.html Lambda authoriser code repo: github.com/CodeSam621/Demo/tree/main/AWS-Gateway-Lambda-Authorizer Sample lambda code you were asking here: ----------- export const handler = async(event) => { console.log(f'event: {event}'); const response = { statusCode: 200, body: JSON.stringify("Hellow from Lambda") } return response; } ----------
