4

I am creating an api and I only want it accessible to authenticated users in my identity pool. The api calls a lambda function that returns "hello world". When I set no authentication in my api it works fine, but when I create a custom authorizer and set that as my authentication method for my api it returns null.

This is the link I used to help create my custom authenticator

Here is a list of stuff I did:

  1. I am using a Federate identity and made sure I copied the identity pool ID and region properly in the authorizer.js.

  2. I added the Authenticated role, set up in my federate identity, ARN's into the execution role when creating my custom authorizer (not sure if I was suppose to do this).

  3. In my Identity Access Management I attached the AmazonAPIGatewayInvokeFullAccess policy to the Cognito Authorization role.

  4. When I passed no headers and made the api call I get an unauthorized message.

  5. When I passed a fake token in the header and made the api call I get a null message.

  6. When I passed the token provided by AWS in the header and made the api call I get a null message.

  7. When I tried testing the api call in AWS I get a return status of 200 and the "Hello World" message

Anyone know what the problem is and how to fix it?

-Update-
Here are the areas I modified from the authorizer.js file from the link. 

console.log('Loading function');

var jwt = require('jsonwebtoken'); 
var request = require('request'); 
var jwkToPem = require('jwk-to-pem');

var userPoolId = '{REPLACE_WITH_YOUR_POOL_ID}';
var region = '{REPLACE_WITH_YOUR_REGION}'; //e.g. us-east-1
var iss = 'https://cognito-idp.' + region + '.amazonaws.com/' + userPoolId;
var pems;

The only thing I did was added my cognate userPoolId and region.

plot
  • 68
  • 1
  • 8
  • 1
    How do you expect people to help you without seeing your actual code? – jfriend00 Aug 12 '16 at 05:30
  • If you click the link I posted, go to the section "Develop a custom Authorizer for Amazon Cognito User Pools" and look at step 1 it tells you to download a blueprint which contains the exact code I used for the Authorizer. I put in my userPoolId and region. I made the rest calls through terminal using the "curl" command. – plot Aug 12 '16 at 15:53
  • Questions here on stack overflow must include the relevant code pasted into the question in order to be consider on-topic here. External links have a habit of disappearing or getting changed, rendering the question useless as a long term reference. Besides, we need to see YOUR code in its proper context, not some sample code in its context. – jfriend00 Aug 12 '16 at 15:55
  • How am I suppose to copy 400+ lines of code and format properly so it can be in the code tags? I tried copy pasting and it does not work properly. And I used 99.9999999999999999999999999% of the sample code on the link. The only modification I did was added the userPoolId from cognito and region which was instructed in one of the steps and I do not plan on sharing that information to the public. – plot Aug 12 '16 at 16:08
  • Well, you do need to learn how to format code properly in this site in order to use this site effectively. Then, direct from the help pages: **Questions seeking debugging help ("why isn't this code working?") must include the desired behavior, a specific problem or error and the shortest code necessary to reproduce it in the question itself. Questions without a clear problem statement are not useful to other readers. See: How to create a Minimal, Complete, and Verifiable example.** It is your responsibility to figure out how to include that information. – jfriend00 Aug 12 '16 at 16:19
  • Without seeing YOUR actual code in its context, you seem to be implying that the problem lies entirely with the site you borrowed the code from. That seems unlikely. It is more likely that something is wrong with how you are using that code in the context of your app or how you've modified it. And, we can't help with that until we can see it. – jfriend00 Aug 12 '16 at 16:20
  • jfriend00, do you even understand the context of my question or the environment I am dealing with? If you understand the modifications I did you would realize that it will not help at the slightest because these modifications are pretty much configurations unique to my AWS Cognito and AWS account, INFORMATION I AM NOT SHARING! It is like putting an ip address on a server application. What difference does it make if I provided a server application template or MY server application were I deleted the template's IP address and added mine. – plot Aug 12 '16 at 16:53
  • You asked a question 14 hours ago. You've received NO answers. There's a reason for that. There is simply not enough information in your question for us to help you. I'm suggesting that if you actually want an answer, you have to remedy that. Plus, you aren't following a number of the stack overflow rules for posting questions about code which means your question should probably be closed. Questions about code MUST include the relevant code. Are you somehow saying that none of this is your fault and the code on the site you got it from is broken and does not work when used properly? – jfriend00 Aug 12 '16 at 16:56
  • You seem to be mad at me, yet I'm the ONLY one who's attempted to try to understand more about your question. I will be leaving now since I only seem to be causing you aggravation. Bye. – jfriend00 Aug 12 '16 at 16:59
  • I have updated my post and added the all areas I modified to authorizer.js. All it was is configuration set up. – plot Aug 12 '16 at 17:10

2 Answers2

5

I'm just starting out with this so I may be wrong.

I think it is important in this scenario to recognize the fact that there are two separate services provided by AWS:

  1. User Pools--An Identity Provider
  2. Identity Pools--Federated Identity Management Service

Importantly User Pools can be used as an Identity Provider for Identity Pools.

Now regarding your problem, you'll notice the link you referenced is for setting up a custom authorizer for User Pools. Passing the token you receive from Facebook won't work with the code you have. It would need to be code for validating tokens from Facebook.

If you are interested in using API Gateway with Identity Pools, then you would need to use the Identity Pool sdk to generate a temporary access token which can then be used for interacting with your endpoints.

Instead of using a custom authorizer you would set the authorization settings for your endpoints to use AWS_IAM.

I think the issues you are running into are in large part a result of poor marketing and documentation on Amazon's part. Categorizing the two services (User Pools and Identity Pools) under "Cognito" makes things way more confusing than if they had treated them as the two separate services they really are. Often times documentation or marketing will say Cognito can do this or that, making it unclear which one is providing which functionality. Calling them both pools just makes things even worse.

UPDATE: Some resources that go into detail about how to work with API Gateway and Cognito:

Community
  • 1
  • 1
keyneom
  • 815
  • 10
  • 12
  • I have been looking into IAM but no luck. I have created an Identity provider in IAM but how can I get a token from it when a user logins? I was using the services provided by Auth0 and from the diagram it looks like it returns an AWS token when the user logins, but when you pass this token to the gateway it just rejects it. I am not sure how to add Facebook alone as an identity provider (this is why i am using Auth0) in IAM then getting a token from IAM to use on the api gateway. Any ideas? – plot Sep 11 '16 at 18:28
  • To use only Facebook as a provider you would need a custom authorizer. I'm not sure about Auth0, but I know they have some detailed walkthroughs of how to use it with AWS. If you do want to use Cognito Identity Pools with Facebook as one of the Identity Providers then you can use IAM auth on your API Gateway resources. – keyneom Sep 12 '16 at 00:20
  • I'll post some links in an edit to my answer that point to some resources that do a decent job of explaining how to get things setup with Cognito. – keyneom Sep 12 '16 at 00:23
  • If you do decide to go with a Cognito Identity Pool using Facebook as an Identity Provider you will probably want to check out some of the Facebook documentation on how to actually authenticate to Facebook. You will need to get a token from their APIs that you can then pass to your Cognito Identity pool. – keyneom Sep 12 '16 at 00:33
  • I do not see how in those post they get a session token from the IAM and access a secure api. I can get an AWS token using Cognito user pools but then users will have to create an account when they already have created an account with another identity provider. I can pass the token from this identity provider to Cognito but I do not get a token to use. I tried creating an Identity pool in the IAM for Auth0 and used AWS_IAM in the api gateway but this rejects the token Auth0 gives, and apparently auth0 gets the token from the IAM. – plot Sep 12 '16 at 04:14
  • For simplicity lets assume I am using Facebook as my identity provider. I am able to get the token when the user logins and I am able to get a Cognito id. When you create a federate identity they create two roles for you, both roles which I give full api gateway access to. When I set the gateway to AWS_IAM and pass the Facebook token I get an "UnAuthorized Token" error. Obviously if I remove this security to none I can get full access. If I set the security to Custom user pool and pass the token that was given by the cognito user pool to the gateway it works. How do I get Facebook to work? – plot Sep 12 '16 at 04:21
0

API Gateway recently launched first-party support for Cognito User Pools. You shouldn't have to setup a custom authorizer using Lambda anymore. Just setup a User Pool Authorizer in API Gateway and use it to authenticate users from your pool. Details on setting that up can be found here.

Hope this helps, Ritisha.

Ritisha - AWS
  • 359
  • 2
  • 5
  • 1
    When I try this it says I need to create a cognito user pool (which I have not created) when I already have a federate identity. I am using another identity provider like Facebook and Google to authenticate users. This looks like it might work if I create my own identity provider using Amazon cognito but I am trying to use an existing identity provider. Is there a way to incorporate this with federated identities? – plot Aug 12 '16 at 17:50