Secure API Gateway using Cognito Authorizer #aws #gateway #authorizer #authorization Secure AWS API Gateway using Lambda Authorizer: • Secure API Gateway usi...
Hello, nice video bro.. I did all the steps in this video but im im getting the error:"Unauthorized" , i've did all steps, one by one, but im always getting: "Unauthorized" when i try to acces to API endpoint via access_token (Postman) .. the token seems to be ok, i've checked token string integrity (white spaces, or special chars).. any sugesstions? maybe a permission that im missing? please help me, thanks
Hi @Nestor, Theoretically it should work, if you follow the step. There is no specific permission for this scenario. Could you check the postman `key` you used? As example, the key should be match with the name you mentioned in the lambda authoriser. Please double check this point th-cam.com/video/9crTLAT_4uY/w-d-xo.html Still if you have a issue, please drop a email, I will contact you. johnsonp908060@gmail.com
Hi, in my case I had to click Edit in Authorizer again and (the second time id(?) appeared next to user pool name) and it started working, also in the tutorial, initially there was no id next to the user pool in Authorizer, in the next shot it already appeared ;)
Thanks this is perfect for what I need to do which is setting up "database" + user login + a way to auto update my client using the gateway to link to a resource that I can change at anytime.
Video is nice and clearly explained. I appreciated the Cognito Authorizer tests I've never used before. Thanks. Nevertheless I would add that "Implicit Grant" is not mandatory. Everything works fine also with Authorization Code that I am using to satisfy a requirements.
this was great, thank you! however i have a question. i have this API connected to my lambda function as a trigger, and i have a slack app which in event subscription, takes in an endpoint (in this case it is my newly authorized endpoint configured in my lambda function). however, because the API is protected, slack won't be able to verify it or access it. how can i enable slack to access this? thank you again for the video!
Hi balawal, Thanks for the comment. When you call the API, you need to pass the api-keys as we did on postman request. Do you get any errors in slack? You can enable logs on API gateway to see if the slack request is hitting or not
If I want any production level apiS using apigatway need to be used by different client which further server their users using our API resources, in that case what approach should I take ? Do I need to secure gateway with API key ? which is not recommended because here is a expire token as well , we cant provide them new token every time or they need to implement coginito login from their backed side and opt to token from response . basically Idea is We have clients and in our DB we called it a company that company can have many users who uses our API or on a comapny can use our API and serve their users in that case I want allocate tken for comapny called secratekey using which they can access endpoints but to make it more secure we use coginot how can we achieve that or what should we do to achieve same . TIA
Hi @manishmarx, As I understood your question, The API Key alone is not good enough for authentication. Usually people use use combination of both API KEY alone with Lambda authoriser or Cognito Authoriser. With the authoriser you can authorise who can access the resources. API key can be used to throttle/limit requests per client. The Cognito authorise can be integrate with ADFS, OKTA like other Identity providers too. Simply if you want more fine tune authentication/authorisation, go ahead with a solution which have both API key + Authoriser
Hey, I've one quick question. Api requests from localhost:3000 work fine without the cognito authorizer. But once I add it, I get a CORS error: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. The requests still work fine when done with Postman, even with the authorizer in place. Do you know how I may be able to fix this? Thank you!
Hi @carlos, Do you mean that you call the api gateway without any authentication and it works? > >> Api requests from localhost:3000 work fine without the cognito authorizer.
@@lovetocode4486 I ultimately checked headers in the Lambda response. I then deleted the current Options method and generated it again by enabling cors. I also didn't add an authorizer to the Options method, as I understand it does not need to have one. It then started working. Not sure which of these steps did it. But I'm ready to move on for now. lol Thank you! Reply
Thank you for this demo. I have followed all of the steps in the video but am getting a 403 error when calling the REST API from Swift. I have tried everything I can think of as to why I am getting the error. Any suggestions or thoughts?
Hi Duhkham, Did you use `access_token` not the `id_token` ? Please first try with Postman to check that is working. When you test the authorizer in AWS, you nee to use 'id_token` and test with Postman, then you need to use `access_token`. Let me know hot it goes.
@@guitaravind Looks like the value you are passing in the Postman is not in a valid format. Just open "headers" tab and add new key and value. The key will be describe as below. The value will be the "access_token" Could you please check the "token source" name match with the "header key" in postman? As per this video, it should be "auth-token". If you change the name of "token source" , the same name should be used in Postman.
HI. thanks for the video. In my lambda i want to read this token and get corresponding email id or username. Because i want to do some dynamic processing basis these. Can you tell how can this token be further used to scrap the email/username in Lambda?
Hi Mate, The Cognito token is a JWT token and it has three parts which are separated by dot (.). The whole token is encodes with base64. It is NOT ENCRYPTED. You just need to decode the second part which has the payload using Base64 decoder. You can find username, email etc information in the payload. I haven't tested this. But theoretically this should work. You can simply check this website to check the payload has what you are looking for. jwt.io/ Hope this helps. Let me know how this goes. Thanks
@@lovetocode4486 I understand jwt token has the username email etc but the issue is - in lambda 'event' param is coming empty. If i print(event) in lambda its empty dictionary. So i am not sure how this token can be fetched in lambda
Hi Manish, Ok, got your question. If the token is not passed to the lambda, then you have to manually pass the token using template mapping. You can update the "Integration request" -> "Mapping templates" -> "Add mapping Template". This way, you can pass any headers from client to integration point. I have created a video on how to use "Template". Sure, this helps you. Please have a look. th-cam.com/video/o98qYUFSQbc/w-d-xo.html Thanks
@@lovetocode4486 Wow!! This was truly helpful. I was able to achieve what I want. Thanks a lot!! There are few observations : The tokens generated by CLI via admin-initiate-auth were not working. Not sure why. Access_token generated by UI browser as you have shown was working in postman. As per some documentation I read, you should use access_token for authorization and id_token to get values like email , username etc for further authentication in lambda. I passed access_token from my postman as authorization and id_token as separate header. Finally it worked!!
Great mate. Yes, the Id-token holds user information. Idtoken was introduced by OpenIdConnect. oAuth has access token. Glad that you made it work. Thanks. 👍👍👍
Hi Ashish, I am not suite sure your question. BTW as I understood, you can use Lambda Authoriser to add any custom logic. So you can use client credentials with Lambda Authoriser. This may helps th-cam.com/video/rRQbVJhlpC4/w-d-xo.html Let me know how it goes.
Hi @jrleriche , For this tutorial, there is nothing much in terms of code. It has sample lambda function which returns a string. I pasted the sample lambda code for your reference. Hopefully you will like the "Lambda Authoriser" which has more code. Lambda authoriser video: th-cam.com/video/rRQbVJhlpC4/w-d-xo.html Lambda authoriser code repo: github.com/CodeSam621/Demo/tree/main/AWS-Gateway-Lambda-Authorizer Sample lambda code you were asking here: ----------- export const handler = async(event) => { console.log(f'event: {event}'); const response = { statusCode: 200, body: JSON.stringify("Hellow from Lambda") } return response; } ----------
Hello, nice video bro.. I did all the steps in this video but im im getting the error:"Unauthorized" , i've did all steps, one by one, but im always getting: "Unauthorized" when i try to acces to API endpoint via access_token (Postman) .. the token seems to be ok, i've checked token string integrity (white spaces, or special chars).. any sugesstions? maybe a permission that im missing? please help me, thanks
Hi @Nestor,
Theoretically it should work, if you follow the step. There is no specific permission for this scenario. Could you check the postman `key` you used? As example, the key should be match with the name you mentioned in the lambda authoriser. Please double check this point th-cam.com/video/9crTLAT_4uY/w-d-xo.html
Still if you have a issue, please drop a email, I will contact you. johnsonp908060@gmail.com
Yo! I got confused with this too. Make sure you're putting the access-token in the Headers tab, not the parameters tab.
@@sebastienbolh210 Thanks mate for helping out
Hi, in my case I had to click Edit in Authorizer again and (the second time id(?) appeared next to user pool name) and it started working, also in the tutorial, initially there was no id next to the user pool in Authorizer, in the next shot it already appeared ;)
@@xXpiterXx95 thanks for sharing :)
Thanks for the demo, it inspired me for my own lambda project that currently uses a lambda authoriser with basic auth.
Great to hear! Thanks @Ivo :)
Great video, clear and to the point. Good explanations as well. Thanks!
Thanks Noah. Appreciated.
Thanks this is perfect for what I need to do which is setting up "database" + user login + a way to auto update my client using the gateway to link to a resource that I can change at anytime.
Cool. Great to hear. Thanks for the comment 👍👍👍
Video is nice and clearly explained. I appreciated the Cognito Authorizer tests I've never used before. Thanks. Nevertheless I would add that "Implicit Grant" is not mandatory. Everything works fine also with Authorization Code that I am using to satisfy a requirements.
Great @enri2due. it was great news and really happy someone enjoy and get something out of it.
Thanks.
Great demo video. Keep it up. Thanks
Thanks.👍👍👍
Great demo. Thanks
Thanks for watching!
Very nice and informative .Thank you so much.
Thanks Sunita.👍👍👍
Nice demo.thx
Glad you liked it!
Amazing Video!!!
Thanks for the comment. :)
Best ever ❤❤❤
Cool. Thanks for comment mate
Very simple and nice explanation. Thanks. Keep going!!👍
Thanks for the comment. Glad that helps you :)
this was great, thank you! however i have a question. i have this API connected to my lambda function as a trigger, and i have a slack app which in event subscription, takes in an endpoint (in this case it is my newly authorized endpoint configured in my lambda function). however, because the API is protected, slack won't be able to verify it or access it. how can i enable slack to access this? thank you again for the video!
Hi balawal,
Thanks for the comment. When you call the API, you need to pass the api-keys as we did on postman request. Do you get any errors in slack?
You can enable logs on API gateway to see if the slack request is hitting or not
If I want any production level apiS using apigatway need to be used by different client which further server their users using our API resources, in that case what approach should I take ?
Do I need to secure gateway with API key ? which is not recommended
because here is a expire token as well , we cant provide them new token every time or they need to implement coginito login from their backed side and opt to token from response .
basically Idea is We have clients and in our DB we called it a company that company can have many users who uses our API or on a comapny can use our API and serve their users in that case I want allocate tken for comapny called secratekey using which they can access endpoints but to make it more secure we use coginot how can we achieve that or
what should we do to achieve same . TIA
Hi @manishmarx,
As I understood your question, The API Key alone is not good enough for authentication. Usually people use use combination of both API KEY alone with Lambda authoriser or Cognito Authoriser.
With the authoriser you can authorise who can access the resources. API key can be used to throttle/limit requests per client. The Cognito authorise can be integrate with ADFS, OKTA like other Identity providers too.
Simply if you want more fine tune authentication/authorisation, go ahead with a solution which have both API key + Authoriser
Hey, I've one quick question. Api requests from localhost:3000 work fine without the cognito authorizer. But once I add it, I get a CORS error:
Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.
The requests still work fine when done with Postman, even with the authorizer in place.
Do you know how I may be able to fix this? Thank you!
Hi @carlos,
Do you mean that you call the api gateway without any authentication and it works?
> >> Api requests from localhost:3000 work fine without the cognito authorizer.
Please check all the headers in postman request . Then compare with http request you are trying in localhost. Let me know pls how are going. Thanks
@@lovetocode4486
I ultimately checked headers in the Lambda response. I then deleted the current Options method and generated it again by enabling cors.
I also didn't add an authorizer to the Options method, as I understand it does not need to have one.
It then started working. Not sure which of these steps did it. But I'm ready to move on for now. lol
Thank you!
Reply
@@ArgKilljoy great to see you make it work. Thanks :)
nice video but now i want save user data that user login application and show user data who save/add data in dynamoDB
Thank you for this demo. I have followed all of the steps in the video but am getting a 403 error when calling the REST API from Swift. I have tried everything I can think of as to why I am getting the error. Any suggestions or thoughts?
When I test the API within AWS, I get a 200 response
Hi Duhkham,
Did you use `access_token` not the `id_token` ? Please first try with Postman to check that is working.
When you test the authorizer in AWS, you nee to use 'id_token` and test with Postman, then you need to use `access_token`. Let me know hot it goes.
@@lovetocode4486 Yes I am using the Access Token, not ID Token in my code. I have to check in Postman. Will do so ASAP
In Postman, I am getting an error which says "not a valid key=value pair (missing equal-sign) in Authorization header: 'Bearer"
@@guitaravind Looks like the value you are passing in the Postman is not in a valid format. Just open "headers" tab and add new key and value. The key will be describe as below. The value will be the "access_token"
Could you please check the "token source" name match with the "header key" in postman? As per this video, it should be "auth-token". If you change the name of "token source" , the same name should be used in Postman.
HI. thanks for the video. In my lambda i want to read this token and get corresponding email id or username. Because i want to do some dynamic processing basis these. Can you tell how can this token be further used to scrap the email/username in Lambda?
Hi Mate,
The Cognito token is a JWT token and it has three parts which are separated by dot (.). The whole token is encodes with base64. It is NOT ENCRYPTED.
You just need to decode the second part which has the payload using Base64 decoder. You can find username, email etc information in the payload. I haven't tested this. But theoretically this should work.
You can simply check this website to check the payload has what you are looking for. jwt.io/
Hope this helps. Let me know how this goes. Thanks
@@lovetocode4486 I understand jwt token has the username email etc but the issue is - in lambda 'event' param is coming empty. If i print(event) in lambda its empty dictionary. So i am not sure how this token can be fetched in lambda
Hi Manish,
Ok, got your question.
If the token is not passed to the lambda, then you have to manually pass the token using template mapping.
You can update the "Integration request" -> "Mapping templates" -> "Add mapping Template". This way, you can pass any headers from client to integration point.
I have created a video on how to use "Template". Sure, this helps you. Please have a look.
th-cam.com/video/o98qYUFSQbc/w-d-xo.html
Thanks
@@lovetocode4486 Wow!! This was truly helpful. I was able to achieve what I want. Thanks a lot!!
There are few observations : The tokens generated by CLI via admin-initiate-auth were not working. Not sure why. Access_token generated by UI browser as you have shown was working in postman.
As per some documentation I read, you should use access_token for authorization and id_token to get values like email , username etc for further authentication in lambda.
I passed access_token from my postman as authorization and id_token as separate header. Finally it worked!!
Great mate. Yes, the Id-token holds user information. Idtoken was introduced by OpenIdConnect. oAuth has access token.
Glad that you made it work. Thanks. 👍👍👍
Still getting a 404
Hey mate,
The 404 is not anything related to authentication or authorisation. Please check the url is correct or not.
Can you create video for client credentials type machine to machine
Hi Ashish, I am not suite sure your question. BTW as I understood, you can use Lambda Authoriser to add any custom logic. So you can use client credentials with Lambda Authoriser.
This may helps th-cam.com/video/rRQbVJhlpC4/w-d-xo.html
Let me know how it goes.
Hello Thanks for the video . But I do not see the link to the github repo for the code
Hi @jrleriche ,
For this tutorial, there is nothing much in terms of code. It has sample lambda function which returns a string. I pasted the sample lambda code for your reference. Hopefully you will like the "Lambda Authoriser" which has more code.
Lambda authoriser video: th-cam.com/video/rRQbVJhlpC4/w-d-xo.html
Lambda authoriser code repo: github.com/CodeSam621/Demo/tree/main/AWS-Gateway-Lambda-Authorizer
Sample lambda code you were asking here:
-----------
export const handler = async(event) => {
console.log(f'event: {event}');
const response = {
statusCode: 200,
body: JSON.stringify("Hellow from Lambda")
}
return response;
}
----------
17:50 so this was the reason I could never get the id token after 3 hours 😂😂😂😂
Lucky figured it out. 👍👍👍
can you share your github repository which have above used code
Hi Mate,
Are you after the Lambda code? Or anything specific?
This is the code for the "Lambda Authoriser".
github.com/CodeSam621/Demo/tree/main/AWS-Gateway-Lambda-Authorizer
The code you have used in visual studio while performing this hands on
"And... NO MFA"
Ethical hacker here. This is irresponsible. Without any explanation to your audience, you skip MFA. We have to stop normalizing this.
Yes, MFA is a good security practise. BTW I didn't want to give much noice while doing this. That is the reason to skip that :)