Providing Authorization to API Gateway with Cognito Identity Pools.
- Amazon API Gateway is an AWS service for creating, publishing, maintaining, monitoring, and securing REST and WebSocket APIs at any scale.
- API developers can create APIs that access AWS or other web services as well as data stored in the AWS Cloud.
- As an API Gateway API developer, you can create APIs for use in your own client applications (apps). Or you can make your APIs available to third-party app developers.
Authentication means confirming your own identity. It is about validating your credentials like User Name/User ID and password to verify your identity. The system determines whether you are what you say you are using your credentials. In public and private networks, the system authenticates the user identity via login passwords
when you enter your ATM card into the ATM machine, the machine asks you to enter your pin. After you enter the pin correctly, the bank then confirms your identity that the card really belongs to you and you’re the rightful owner of the card. By validating your ATM card pin, the bank actually verifies your identity, which is called authentication. It merely identifies who you are, nothing else.
Authorization is the process to determine whether the authenticated user has access to the particular resources. It verifies your rights to grant you access to resources such as information, databases, files, etc. Authorization usually comes after authentication which confirms your privileges to perform. In simple terms, it’s like giving someone official permission to do something or anything.
The process of verifying and confirming employees ID and passwords in an organization is called authentication, but determining which employee has access to which floor is called authorization.
In simple terms, authentication is the process of verifying who you are, while authorization is the process of verifying what you have access to.
- Amazon Cognito is an amazon web service product that controls user authentication and access for mobile applications on internet connection devices.
- Cognito is used to create an identity pool which is just a bunch of users that can be created that have credentials.
- Using Cognito to authorize our RestAPI Gateway we can provide security.
API Gateway custom authorizers are Lambda functions that are called before your main function to authenticate and/or authorize that the caller may proceed to your core function. When a custom authorizer runs, you may reject the request by indicating that it is unauthorized, or you may allow the request to continue to its requested resource.
You can provide custom authorizer to API Gateway using two approaches. They are:
1. Lambda Function.
2. Cognito Identity Pools.
Steps to create custom Authorizer to API Gateway using Cognito:
step1: Create API Gateway and assign corresponding lambda function to it.
Depoly your API Gateway to test it.
Step2: Click on your API Gateway and then on Authorizers.
Step 3: Authorizer is created for our API. Now you have to add the created Authorizer to Method Request in our API as shown:
Step 4: Then redeploy your API to Save the changes, you will get the URL to invoke the API, copy that URL to test it.
Step 5: In Postman, paste that URL and select method type as you have used in the API Gateway.
Step 6: Click on Headers and Select Key as “Authorization”, Value as “Generated Token”, then click on Send button to check the user is authorized or not.
Generated Token — token which is created for the user.
- If the user exist in the Cognito user pool, you will be directed to the service access you have provided for valid users.
- If the token is not valid (ex: missing any letter in the token), it returns the message as “Unauthorized” as shown.