Secure Your APIs with Cognito Authorizers for AWS API Gateway
AWS Cognito is a managed service provided by Amazon Web Services (AWS) for identity access and management. It simplifies user authentication and authorization processes and can be used as an authorizer to control access to APIs in the API Gateway. Once a user is authenticated with the Cognito user pool, an identity and access token is issued to the user, which can then be used in the request’s “Authorization” header to access the APIs.
In this blog post, we’ll guide you through setting up authentication and authorization for an API using Amazon Cognito and Postman. We’ll cover steps like configuring a Cognito user pool for API Gateway, setting up OAuth 2.0 authorization in Postman to obtain tokens, and accessing protected API endpoints. By following these steps, you can ensure secure access to your APIs, allowing only authenticated users to interact with them.
This guide assumes users already have a basic understanding of AWS services like Cognito and API Gateway.
Configure a Cognito User Pool
We will create a user pool and app client with minimal configuration. You can also follow this tutorial provided by AWS to set up a user pool and app client.
Navigate to Cognito and click on “Create user pool” to launch the user pool creation process.
Select “Email” as sign-in option and click Next.
Keep the default password policy, deactivate Multi-Factor Authentication (MFA), and disable self-service account recovery, following the steps outlined above. Then, proceed by clicking ‘Next’.
Enable self-registration since we will be utilizing the Cognito hosted UI for signing up new accounts. Disable text-based account confirmation to avoid the need for configuring additional steps for text messages. Skip the required attributes section and proceed by clicking ‘Next’.
Opt for ‘Send email with Cognito’ instead of using SES, as configuring SES would require additional steps. Proceed by clicking ‘Next’ to set up the app client.
Enter the name of the user pool and select “Use the Cognito Hosted UI”.
Enter a unique name as shown above, and this link will serve as the Sign-in URL.
Provide the app client name and include the callback URL where Cognito will send the authorization code after user authentication. Proceed by clicking ‘Next’ to review all settings and create the user pool.
Add a User
After setting up the Cognito user pool, add a new user to the user pool either by creating the user under the ‘Users’ tab or using the Hosted UI. We will utilize this user to obtain the token and then use that token to access the API.
Next, open the user pool and go to the ‘App Integration’ tab. From there, open the app client as illustrated below.
Navigate to the “Hosted UI” section and click on “View Hosted UI” to open the Cognito hosted UI.
To sign up a new user, simply click on the “Signup” link, as depicted below.
Setup Cognito Authorizer
Follow this tutorial provided by AWS to create a REST API without authorization. After setting up the API, proceed to create an API authorizer following the steps outlined below.
Navigate to API gateway, select the PerStore API and click on “Authorizers” as shown below.
Click the ‘Create Authorizer’ button on the screen to proceed with creating an Authorizer.
Specify the Authorizer name, choose ‘Cognito’ as the Authorizer type, and select the user pool created in the previous step. Set ‘Authorization’ as the token source, which will be utilized to send the token through Postman.
After setting up the authorizer, proceed to modify the API resource methods and select the Cognito user pool authorizer created in the previous step, as demonstrated below. Deploy the API to a stage for the changes to take effect.
Testing with Postman
Next, we’ll configure OAuth 2.0 authorization in Postman to authenticate with the previously created user and obtain the tokens. Once authenticated, we’ll receive ID, access, and refresh tokens. We’ll utilize the ID token to access the API.
OAuth2.0 Authorization
Set Authorization type to OAuth 2.0. Configure the parameters for “Configure New Token” as demonstrated below. The Client ID refers to the app client ID mentioned in the “Add User” section.
Auth URL — https://{ domain prefix} .auth.us-east-1.amazoncognito.com/oauth2/authorize
Access Token URL — https://{ domain prefix}.auth.us-east-1.amazoncognito.com/ oauth2/token
Once all the parameters are configured, click on the “Get New Access Token” button. This will open the hosted UI sign-in window. Enter the credentials, and once the user is authenticated, we will receive the tokens as demonstrated below. Scroll down to view the ID token and copy it, as we will use this token to call the API.
Test API Access
Open a new tab in Postman and create a new GET request, then copy the URL from the “PetStore” API. Click on “Send,” and you will receive an unauthorized (401) error because the GET method is protected, and we cannot access it without providing a valid token.
Now, let’s add the “Authorization” header and paste the ID token that we copied earlier, as demonstrated below. Click on “Send” and now the API will send the response with the list of pets.
Conclusion
In conclusion, this blog has guided you through the process of setting up authentication and authorization for an API using Cognito authorizer and Postman. We covered steps such as configuring a Cognito user pool, setting up OAuth 2.0 authorization in Postman, obtaining tokens, and accessing protected API endpoints. By following these steps, you can ensure secure access to your APIs while allowing only authenticated users to interact with them. If you have any further questions or need additional assistance, feel free to reach out. Thank you for reading!
