这是否可以使用 cognito 的授权代码授权类型作为 api-gateway 中的授权人？

Question

I would like to know is there any way or possibility to implement authorization code grant type as Authroizer in securing API gateway? As is searched, 'Authorization code' grant type is most recommended for securing API. i found below article which explain's using cognito 'client credentials' as grant type to secure the api gateway,

https://medium.com/@awskarthik82/part-1-securing-aws-api-gateway-using-aws-cognito-oauth2-scopes-410e7fb4a4c0

I tried the similar way to create an API gateway, where i have done following integration:

1. Created user pool 'UI Hosted' in cognito with the grant type - 'Authorization code'

2. Add the resource server

3. Choosed default scopes as i don't want to add any new scope

4. Associated call back uri

Now iam able to access the login page to sign up and sign in and it return the 'Authorization code' in the call back uri

In API gateway

1. I created an API and integrated some mock response

2. Attached above user pool as Authorizer in the api gateway and deployed

Now when i invoke the api without passing token, it returns 'Unauthorized'

So i used below approach to extract the access token from cognito

How programtically exchange the authorization code to get the access token from cognito using python

And passed the token in the api header using post man, but still i am getting 'Unauthorized' response

So would like to know what needs to be done in api gateway in order to verify the token or what went wrong in this approach..?

Appreciate if anybody can help on this?

Thanks

Answer 1

Your API's role is to just deal with incoming access tokens from API clients. The API doesn't care what flow was used to get the token. Here is by far the most common behaviour:

• UI logs the user in using Authorization Code flow - usually the PKCE variant
• This involves the UI calling the Authorization Server - eg AWS Cognito
• Once login completes the UI calls the API Gateway URL with an access token / JWT
• The API then needs to validate the access token by verifying its signature

Here is some sample code in case it helps:

• Lambda Authorizer Code to Verify Cognito Tokens
• Web UI Code to implement Authorization Code Flow

AWS API Gateway has built in support for Cognito authorizers as in the screenshot on the left below.

For more control over behaviour you can instead create a custom lambda authorizer in code, which returns an AWS policy document, as in the screenshot on the right. My blog post and the above source code link has some further details, though it is quite detailed / advanced.

Answer 2

finally i got the answer here..

https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/

so i created a simple flask logic here to exchange the auth code to get the 'id_token' from cognito, which further can pass in the api header to get the response.

def getToken(auth_code):
    response=''
    try:
        print("Code is", auth_code)
        response = requests.post(url + '/oauth2/token',{'Content-Type':'application/x-www-form-urlencoded', 'grant_type': grant_type, 'client_id': App_client_id,  'code': auth_code, 'redirect_uri': 'http://localhost:5000/login'})
        if response.status_code != 200:
            return "Not a valid response"
        print("Response is", response.json())
        token_value = response.json()
        print("Token value", token_value['id_token'])
        return token_value['id_token']

    except TypeError as e:
        print("Error is",e)