The blog will provide you a quick start of how to use AWS Cognito as a security layer for AWS API Gatway. It is dividing into two parts:
- Creation of a user pool in AWS Cognito.
- Creation and configuration of authorizer in API Gateway.
- Create a User Pool, by clicking on “Create a user pool” in AWS Cognito Console.
- Give a name to user pool and then click on “Review Defaults” to save the pool name.
- On left side bar click on “Attributes”.
- Select “Email address or phone number” and under it check “Allow email addresses”.
— Click on “Next Step” button, on the bottom of the page, to save settings.
- Now click on “Review” link on sidebar and than click on “Create Pool”
- After the pool is created, click on the “App Client” under the “General Settings” in the sidebar.
- Now we are going to create an app client. To do this, click on “Add an app client” on the web browser.
- Give app client a name and select “Enable username-password (non-SRP) flow for app-based authentication (USER\PASSWORD_AUTH)”_ option. After this, click on “Create app client” to create a client and then click on “Return to pool details”. Note the “app client id” we will use later to access the verification process of cognito.
- Also note the “Pool Id” on the “General Settings” page as we need it for using verification process of cognito.
Now we are done with creating a user pool in AWS Cognito.
- I’m assuming that an API is created. So I will create an authorizer for my methods. We can do this by clicking on the “Authorizers” under the API in sidebar as shown in the screenshot.
- Now click on “Create New Authorizer” to create a new authorizer.
- Now give the authorizer a name, select a type of Cognito, select the region in which the user pool was created, select the user pool and in Token Source type “Authorization”. and then click on “Create”.
- Now select a method on which authorizer is to be applied and then click on “Method Request”.
- Now set the “Authorization” to the created authorizer.
And you are all done. Also enable the CORS for this API to be accessed by other applications.
NOTE: Using “App client id” and “Pool Id” your application will send the user authentication details to AWS Cognito. AWS Congnito will authenticate the client and if the client is authentic, it will generate the API Access Token. Using this token, the client can invoke the APIs — only those APIs which the client has permissions to invoke.