AWS api网关和cognito集成

Question

I am creating an api and I only want it accessible to authenticated users in my identity pool. The api calls a lambda function that returns "hello world". When I set no authentication in my api it works fine, but when I create a custom authorizer and set that as my authentication method for my api it returns null.

This is the link I used to help create my custom authenticator

Here is a list of stuff I did:

1. I am using a Federate identity and made sure I copied the identity pool ID and region properly in the authorizer.js.

2. I added the Authenticated role, set up in my federate identity, ARN's into the execution role when creating my custom authorizer (not sure if I was suppose to do this).

3. In my Identity Access Management I attached the AmazonAPIGatewayInvokeFullAccess policy to the Cognito Authorization role.

4. When I passed no headers and made the api call I get an unauthorized message.

5. When I passed a fake token in the header and made the api call I get a null message.

6. When I passed the token provided by AWS in the header and made the api call I get a null message.

7. When I tried testing the api call in AWS I get a return status of 200 and the "Hello World" message

Anyone know what the problem is and how to fix it?

-Update-
Here are the areas I modified from the authorizer.js file from the link.

console.log('Loading function');

var jwt = require('jsonwebtoken'); 
var request = require('request'); 
var jwkToPem = require('jwk-to-pem');

var userPoolId = '{REPLACE_WITH_YOUR_POOL_ID}';
var region = '{REPLACE_WITH_YOUR_REGION}'; //e.g. us-east-1
var iss = 'https://cognito-idp.' + region + '.amazonaws.com/' + userPoolId;
var pems;

The only thing I did was added my cognate userPoolId and region.

Answer 1

I'm just starting out with this so I may be wrong.

I think it is important in this scenario to recognize the fact that there are two separate services provided by AWS:

1. User Pools--An Identity Provider
2. Identity Pools--Federated Identity Management Service

Importantly User Pools can be used as an Identity Provider for Identity Pools .

Now regarding your problem, you'll notice the link you referenced is for setting up a custom authorizer for User Pools . Passing the token you receive from Facebook won't work with the code you have. It would need to be code for validating tokens from Facebook.

If you are interested in using API Gateway with Identity Pools, then you would need to use the Identity Pool sdk to generate a temporary access token which can then be used for interacting with your endpoints.

Instead of using a custom authorizer you would set the authorization settings for your endpoints to use AWS_IAM .

I think the issues you are running into are in large part a result of poor marketing and documentation on Amazon's part. Categorizing the two services (User Pools and Identity Pools) under "Cognito" makes things way more confusing than if they had treated them as the two separate services they really are. Often times documentation or marketing will say Cognito can do this or that, making it unclear which one is providing which functionality. Calling them both pools just makes things even worse.

UPDATE: Some resources that go into detail about how to work with API Gateway and Cognito:

• How to call AWS API Gateway Endpoint with Cognito Id (+configuration)?
• https://blogs.aws.amazon.com/javascript/post/Tx1F7FO6GDAIXD3/Authentication-with-Amazon-Cognito-in-the-Browser
• http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-generate-sdk.html#how-to-generate-sdk-javascript

Answer 2

API Gateway recently launched first-party support for Cognito User Pools. You shouldn't have to setup a custom authorizer using Lambda anymore. Just setup a User Pool Authorizer in API Gateway and use it to authenticate users from your pool. Details on setting that up can be found here .

Hope this helps, Ritisha.