How to use AWS Cognito to authenticate API Gateway

Question

I've developed a GraphQL API in API Gateway. I want my users to be able to call this api and use it in their own applications. However the data is sensitive and I want to use Cognito to authenticate the users. I have a few questions...

1) Since there is no 'app' for them to log into, how would users be able to receive a token so they can be authenticated and can query the API?

2) I believe that the token will expire every hour. I imagine this may frustrate some of the client's developers, what are suggestions I could offer them to deal with getting the token updated ever hour?

3) After reading through the documentation, ( this specifically ) - it seems like I need to use the "Amazon Cognito CLI/SDK or API to sign a user in to the chosen user pool, and obtain an identity token or access token...." clicking on the "SDK" leads to a github repo. That github repo says that the SDK will no longer be developed and that it is now AWS Amplify.

Are there any logic holes that I am missing here?

Answer 1

Amplify is an integral app creation solution from AWS. So clients of yours that are developing Amplify apps, will use the AWS Amplify Cognito SDK. Web apps and others will use different libraries or just post to your cognito auth endpoint.

Regardless of how they reach your cognito user pool, the first thing you need to do is create your user pool, and create an Authorizer in your ApiGateway Api and select the user pool in cognito you want it to use. Then select it in your resource to authorize that particular resource.

After you create a user pool, from inside your user pool, on the left-side menu, there should be a "App Integration > Domain name" section. Here you can get your user pool auth public domain, or assign a custom domain (you have to set it up in your dns and hook it up to a SSL cert separately). This is the endpoint that Client Apps will call to get an Auth Token.

This procedure varies on what authentication flow you use. But for illustration purposes, with client credentials auth flow for example, your client apps would:

1. Post a request to the auth domain, with a url query string param grant_type=client_credentials, and in the headers: authorization: Basic < Base64EncodedString of ClientID:ClientSecret > . This will return a Cognito-signed JWT (JSON Web Token)

2. Then the client app will use this token to call your api resource. Whenever you call an API Gateway resource that uses this user pool as authorizer, you just need to put a valid token in the Authorization header.

There's really no way around this, it is how the security model works. Maybe federated Identity would be easier due to the fact that many service libraries/middleware handle this for you (Passport.js for example)... like having the option to log in through facebook. That still requires multiple steps and calls though.

As for token expiration, there is no way to change the expiration time (1hr). What we did was when we get a token expired response we auto call for another token and retry API call.

It's a little tedious, but not really that frustrating. If your end user (client app developers) are developing more out-of-the-box app/web-app solutions and are not that experienced with this type of thing, that's what StackOverflow is for :)

Resources

• https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html