8

Can we integrate AWS cognito to authenticate API calls to our back-end? I was planning to use cognito access token which would be given to a reverse proxy server to create a JWT by value for back-end micro services. But I could not find any method to check the AWS token for validity. Any suggestions?

Thanks :)

Yves M.
  • 29,855
  • 23
  • 108
  • 144
skwalker
  • 329
  • 2
  • 15

2 Answers2

4

Amazon Cognito was not designed to secure developer built APIs and I would caution you from using only the Amazon Cognito token to secure your API.

That being said, the vended Amazon Cognito token is a normal JWT signed using asymmetric encryption. This thread on the AWS forums has some example code in C# that another customer was able to use to verify the token.

Update 2015-07-09 AWS has announced Amazon API Gateway. Using API Gateway you can build a REST interface to your existing API (or to AWS Lamdba functions) secured with credentials retrieved via an Amazon Cognito authflow. See this blog post for additional announcement details.

Bob Kinney
  • 8,870
  • 1
  • 27
  • 35
  • Thanks Bob :) but i am still wondering if its possible to check the identity pool if the Cognito token exits? because i will have to implement the entire oAuth flow and all the other things which Cognito will save me from. – skwalker May 25 '15 at 16:19
  • @skwalker You can validate that the token is valid and generated from Amazon Cognito. What else do you need to verify? – Bob Kinney May 25 '15 at 16:30
  • Could you please provide a link to any samples for this, it will be quite helpful. Thanks :) . I thought the only way to cross reference was to list all identities and then scan through on the server. My bad – skwalker May 25 '15 at 16:45
  • The token is signed and can be verified. If you read the forum thread I linked to, it includes example code for validating the token. – Bob Kinney May 25 '15 at 16:47
  • I am trying to use the cognito I'd as a auth verification for my APIs like the app will send me the cognito I'd and I check if it exists with aws and some other things, yes I know its not a good thing but I need to get my project done soon and implementing the entire auth from is not feasible at the moment – skwalker May 25 '15 at 16:51
  • Amazon Cognito does have an API for discovering if an Identity exists, but please bare in mind that this API will be throttled aggressively as it is not intended to be used for validation. http://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_DescribeIdentity.html – Bob Kinney May 25 '15 at 17:18
  • Hi @BobKinney, regarding your update 2015-07-09 mentioning API Gateway with Amazon Cognito, I could not find proper documentation for passing Cognito credentials to authorize Amazon API Gateway methods. It would be of great help if you could provide some reference code or point me to some resource. – rk2 Jul 16 '15 at 22:46
  • @rk2 API Gateway uses standard [Signature V4](http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html). If you are using the generated SDKs provided by the API Gateway console, it should just be a matter of instantiating the client with the appropriate credentials provider. That being said, I've reached out the API Gateway team to see if there are more specific docs we can point you to. – Bob Kinney Jul 17 '15 at 05:11
  • @BobKinney i have a similar query , i request your URGENT attention on this question( i am in a kind of fix) http://stackoverflow.com/questions/32456124/aws-api-gateway-with-cognito. please read the answer and comments too , thanks . please help – Subham Tripathi Sep 08 '15 at 17:20
2

You can retrieve the JWT tokens after authenticating users using Cognito. Pass the Access or ID token (depending on usecase) to your backend app and decode the token using any standard JWT decoder libraries. Here is an article with sample code for reference explaining the process.

stackOp
  • 731
  • 7
  • 7