I need to use an AWS Cognito User Pool with the client_credentials OAuth Flow on a different AWS Account to be an authorization provider for an AWS AppSync App on a different AWS Account.
I added the Amazon Cognito Domain (test example below) to the Authorization Providers on AppSync
I was able to get a valid access token. However, when I used that token to make a request on AppSync I get the following error:
{
"errors": [
{
"errorType": "UnauthorizedException",
"message": "Valid authorization header not provided."
}
]
}
Is it possible to use the Amazon Cognito Domain as the OIDC Issurer URL on AppSync in a different account? Or am I using the wrong domain?
I know this pretty much works out of the box by using the "Amazon Cognito User Pool" authorizer provider but that only works if Cognito and AppSync is on the same account. I also got AuthO OIDC with client_credentials to work per this doc but would like to use cognito on a different account if possible.
The issuer URL should look like this:
https://cognito-idp.<aws-region>.amazonaws.com/<userpool-id>
Source:
https://github.com/awslabs/aws-support-tools/tree/master/Cognito/decode-verify-jwt
Related
We're developing a website with AWS Amplify that uses Cognito to handle the authentication. I've configured the user pool in Cognito to use Keycloak as the OIDC IDP. The basics of logging in and out are all working as desired.
I now want to get more information back from Keycloak into the Amplify app. If I use https://openidconnect.net/ as a test point for authenticating to Keycloak as if it was Cognito, I can decode the JWT in https://jwt.io and see the additional information I'm after.
In Cognito, in General Settings > Attributes, I've added a custom attribute "groups":
In General settings > App clients, I've marked that attribute as readable:
Under Federation > Attribute mapping, I've mapped the OIDC attribute to the User pool attribute:
but, when I authenticate in the web application and dump the payloads for the ID and access tokens, I cannot see the "custom:groups" attribute.
What am I missing or misunderstanding here?
Thanks.
I am attempting to authenticate a REST API in AWS API Gateway, which is protected by AWS Cognito through the command line to do some security testing of the API. So, i'm supposed to send the authentication token to get an answer, except i just can't figure out how to get that token!
Our Cognito User Pool is configured for Authorisation Code Grant Flow and Implicit Grant, but not for Client Credentials. Everything I found out during my research was about Client Credentials, so if anyone had a command line that actually works with these parameters it would be really nice!
If you have a REST API in AWS API Gateway that has Cognito Authentication enabled, you would need to pass the JWT Token generated by Cognito in the HTTP Request Header. To retrieve the JWT Token, you could either try a login operation from the Cognito Hosted UI, or you could alternatively try the AWS provided InitiateAuth or AdminInitiateAuth API calls. To give further clarity, if you select the Implicit Grant Flow, you get only an ID Token and an Access Token back. However, if you select the Authorization Code Grant Flow, you get a code back, which you could convert to JWT Tokens while leveraging Cognito's TOKEN Endpoint. An example for the AdminInitiateAuth API call(via the AWS CLI) as stated in the AWS Cognito Documentation is given as follows:
aws cognito-idp admin-initiate-auth --user-pool-id us-west-2_aaaaaaaaa --client-id 3n4b5urk1ft4fl3mg5e62d9ado --auth-flow ADMIN_NO_SRP_AUTH --auth-parameters USERNAME=jane#example.com,PASSWORD=password
These API calls/the Hosted UI Authentication Mechanism would give you an OIDC compliant ID Token and an Access Token after you login successfully. After you retrieve the Token, you could pass the token to the Token Source that you have set-up while creating the REST API Authorizer in AWS API Gateway. To know more about passing a certain parameter to a cURL request header, you could have a look at this StackOverflow question.
I've been trying to use the authenticated code provided from Auth0 and AWS Cognito to authenticate a user but when I go to the AWS Cognito Console dashboard I see no identities have been created.
Logic flow should be this: I get my JWT from Auth0 when a user logs in and I use that to get my AWS Cognito Credentials - I use the following code:
CognitoAWSCredentials credentials = new CognitoAWSCredentials (
"us-east-1:11047a24-xxxx-xxxx-xxxx-111111111", // Identity Pool ID
Amazon.RegionEndpoint.USEast1); // Region
credentials.AddLogin("stef.auth0.com", id_token1); //id_token1 from Auth0
I did input the JWT (id_token1) into jwt.io to check the validity of it and it comes back VALID SIGNATURE when I add the Auth0 Client Secret. I am not able to see any errors when I run the code. I am using Xamarin C#. I did all the necessary setup with configuring the provider, setting up the default IAM roles for Cognito Auth/UnAuth. Put in the correct Auth0 client ID into AWS, etc... I can however add an Unauthenticated user but not an Authenticated user.
Am I using the wrong code here? Can someone point me in the right direction please?
Thank you for looking!
I have a API in AWS API gateway.
I wants to give Limited access to the user how can I do that?
or how can I create Signed url if possible for the API access does anyone has any idea?
I can Disable from the API Gateway Console but can I give the time or limited access to the user?
You can use AWS Cognito to authenticate your user against Google/Twitter/Facebook. Then in Cognito you configure the Role the temporary IAM user should have that Cognito returns. This Role should at least have rights to call your API Gateway.
In the API Gateway you can configure your endpoints so that it is required to have a valid IAM authentication.
Lastly if you want to restrict the user, you can make a call to Cognito and remove/adjust his account to block him.
Can we integrate AWS cognito to authenticate API calls to our back-end? I was planning to use cognito access token which would be given to a reverse proxy server to create a JWT by value for back-end micro services. But I could not find any method to check the AWS token for validity. Any suggestions?
Thanks :)
Amazon Cognito was not designed to secure developer built APIs and I would caution you from using only the Amazon Cognito token to secure your API.
That being said, the vended Amazon Cognito token is a normal JWT signed using asymmetric encryption. This thread on the AWS forums has some example code in C# that another customer was able to use to verify the token.
Update 2015-07-09 AWS has announced Amazon API Gateway. Using API Gateway you can build a REST interface to your existing API (or to AWS Lamdba functions) secured with credentials retrieved via an Amazon Cognito authflow. See this blog post for additional announcement details.
You can retrieve the JWT tokens after authenticating users using Cognito. Pass the Access or ID token (depending on usecase) to your backend app and decode the token using any standard JWT decoder libraries.
Here is an article with sample code for reference explaining the process.