Can placeholder variables be used in AWS Cognito Allowed Callback URLs? - amazon-cognito

I would like to be able to use a placeholder varialble in a URL listed as a Allowed Callback URL in an AWS Cognito User Pool app client
e.g. Using a URL like this to have the slug field be variable
https://some-domain/${slug}/loginOauth
Is there any way to do this?
I have tried using the variable notation used in API Gateway to map Stage Variables but that did not work.

Related

Cognito login and track referral source

I'm using Amazon Cognito with the Built-In login page. I'd like to provide a link where I can customize my site after the user logs in based on where the user is coming from.
If I change the redirect_uri to a page that is different than configured in the App client settings I'll get a redirect_mismatch error.
If I add a query param it does not preserve it.
https://auth-local.auth.us-west-2.amazoncognito.com/login?response_type=code&client_id=<myid>&redirect_uri=http://localhost:4201/after-login&TEST_QUERY_PARM=1
Goes to:
http://localhost:4201/after-login?code=[code]
There is no TEST_QUERY_PARM that I set in the redirect_uri.
Is there any way I can track where it came from?
-
EDIT: I'm using AWS Chalice/Lambda for backend server
Did you try to configure two application clients each with its own callback URL.
So to track calls from different sources you will do something like:
?response_type=code&client_id=<myid_1>&redirect_uri=<myurl_1>
?response_type=code&client_id=<myid_2>&redirect_uri=<myurl_2>
or you can actually configure several callback URLs for one App Client by separating them by a comma.

How to configure for multiple siginin signiut url

I have provided multiple signin url in cognito as comma separated but my local react ui has 1 of the them as signin url (ex- http://localhost:3000/,https//abc.com in cognito and in my local UI I have only http://localhost:3000/ ) when I try to login it says url mismatch so it’s not forwarding to my application not sure how to provide in aws-amplify configuration file . Any input ?
New Cognito UI allows to add multiple URls more easily. Though if you will use Facebook, Google or other identity provider, they usually check for allowed redirect URL match too, something to be checked too.

Allow API users to run AWS Lambda using execution role from Cognito identity pool

I'm using AWS amplify to create an app, where users can upload images using either private or public file access levels, as described in the documentation. Besides this, I've implemented a lambda function which upon request through API gateway modifies an image and returns a link to the modified image.
What I want is that a given user should be able to call the API and modify only his own images, but not that of other users; i.e. allow the AWS lambda function to use the execution role from the cognito user. If I allow the lambda function to access all data in the S3 bucket then it works fine - but I don't want users to be able to access other users images.
I've been at it for a while now, trying different things to no avail.
Now I've integrated the API with the user pool as described here:
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-enable-cognito-user-pool.html
And then I've tried to follow this guide:
https://aws.amazon.com/premiumsupport/knowledge-center/cognito-user-pool-group/
Which does not work since the "cognito:roles" is not present in the event variable of the lambda_handler (presumably because there are not user pool groups?).
What would the right way be to go about this in an AWS Amplify app?
Primarily, I've followed this guide:
https://aws.amazon.com/premiumsupport/knowledge-center/cognito-user-pool-group/
Use API Gateway request mapping and check permissions in Lambda itself:
Use API Gateway request mapping to pass context.identity.cognitoIdentityId to Lambda. Just it should be a Lambda integration with mapping (not a Proxy integration). Another limitation is that API request should be POST, for GET it's also possible if you map cognitoIdentityId to query string.
Lambda has access to all files in S3
Implement access control check in Lambda itself. Lambda can read all permissions of the file in S3. And then see if owner is Cognito user.

Uploading an image through Amazon API gateway and lambda

I have a REST API with API gateway and Lambda.
I wan't to create an endpoint for uploading a profile picture, that passes the file to a Lambda function, where it is been resized, registers it to the database and returning the url path of the new image.
Is there any way to do so with those services?
Couldn't find anything online (the only suggestion I found is uploading directly to S3, which requires IAM permissions, and having an event triggering a Lambda function that resizing the picture).
Thanks
UPDATE
AWS updated APIGATEWAY and know you can send binaries through an endpoint
Thanks to #blue and #Manzo for commenting it
Uploading a file directly to S3 doesn't necessarily require IAM permissions. You would create an API endpoint that returns a pre-signed S3 URL, which could then be used to upload the file directly to S3. The Lambda function behind the API endpoint would be the only thing that needed the correct IAM permissions for the S3 bucket.
Since API Gateway and Lambda don't support natively currently, you can pass the file to a picture in based64 encoded to API Gateway then pass to Lambda function. Your Lambda function can based64 decoded, then resized, registers it to the database and returning the url path of the new image.

Difference between HTTP Authorization header and Query string parameters

While I was reading about interaction with Amazon S3, I came to know that request authentication with Amazon AWS is done in 2 ways
HTTP Authorization:
Using the HTTP Authorization header is the most common method of providing authentication information
Query string parameters:
Using query parameters to authenticate requests is useful when you want to express a request entirely in a URL. This method is also referred as presigning a URL.
The question is in which situation should I prefer one method over the other. Do these two authentication methods have their own advantages and disadvantages? As a developer, by using query string parameters method I can presign the URL which enables the end users to temporarily access the Amazon S3 resources by entering the presigned URL in the web browser. Can I use HTTP Authorization method to achieve the same thing? If so which method is better to use and what are their respective limitations?
Can I use HTTP Authorization method to achieve the same thing?
Sometimes. The key difference is that, as a developer, you don't always have enough control over the user agent to inject a header. The most obvious example of this is a simple GET request launched by a web browser in response to the user clicking a link. In that situation, you don't have the a ability to inject an Authorization: header for the browser to send ... so pre-signing the URL is all you can do.
Importantly, there's no information in a signed URL that is considered sensitive, so there's no particularly strong motivation to use the header instead of a signed URL. Your AWS Access Key ID is not secret, and your AWS Secret can't be derived from the other elements and the signature in a computationally-feasible time frame, particularly if you use Signature Version 4, which you should. Signature Version 2 is not officially deprecated in older regions, but newer S3 never supported it and likely never will.
When you do control the user agent, such as in back-end server code, adding the header may be preferable, because you don't need to do any manipulation of the URL string you already have in-hand.
The overview in the first AWS page says what the difference is:
Except for POST requests and requests that are signed by using query parameters, all Amazon S3 bucket operations and object operations use the Authorization request header to provide authentication information.
Basically a POST is used for HTML forms (discussed at length in the Mozilla page). You would use forms whenever the request involves passing data to the remote server, versus just checking status. As noted in HTML method Attribute (W3Schools),
Never use GET to send sensitive data! (will be visible in the URL)
as distinguished from POST:
Appends form-data inside the body of the HTTP request (data is not shown is in URL)