11

Problem: I want to authorize my Amazon API Gateway hosted REST API users using Facebook Authentication.

My Understanding: I know Amazon Cognito can be used to authenticate users, calling as Federated Identities. Then, I saw Authenticate API Clients with Amazon Cognito Your User Pool, which authenticates for Cognito User Pool. I also found Use Amazon API Gateway Custom Authorizers, to use from custom authorization. But, I did not find to link API Gateway to authenticate using Cognito Federated Identities (i.e. Facebook here). Can we use same procedure as User Pool for Federated Identities as well or should I use as in Custom Authorizers ? I'm a bit confused. Any help is greatly appreciated.

Thanks in Advance.

GWed
  • 15,167
  • 5
  • 62
  • 99
inblueswithu
  • 953
  • 2
  • 18
  • 29

1 Answers1

14

Cognito federated identities and Cognito user pools address different use cases.

With Cognito user pools, you explicitly manage the users which can access your service. This is useful when you want to limit access to your API to a fixed set of users.

With Cognito federated identities, you delegate user management to an identity provider such as Facebook, Google, or Amazon. In that case, anyone with a user identity for your chosen identity provider can access your service. This is useful when you want to make your API broadly available, but still need to associate individual identities with your API users in order to manage per-user state or resources.

To use a federated identity, you set the API Gateway method to use “AWS_IAM” authorization. You use Cognito to create a role and associate it with your Cognito identity pool. You then use the Identity and Access Management (IAM) service to grant this role permission to call your API Gateway method.

MikeD at AWS
  • 3,565
  • 16
  • 15
  • 1
    Also, Its not just authorization that I want, I also like to know who the user is? B'se I will have different results for different users on my API calls. My purpose is that I want to authenticate my users, so that I know who they are as well. From my understanding from your answer I can only see that we are authorizing users only. – inblueswithu Aug 28 '16 at 04:55
  • Probably I may be wrong how and what Cognito does, please explain If I'm missing a point. – inblueswithu Aug 28 '16 at 05:13
  • 1
    API Gateway passes through the user identity information via $context.identity.cognitoAuthenticationProvider, $context.identity.cognitoIdentityId, $context.identity.cognitoIdentityPoolId, $context.identity.user, and $context.identity.userArn. See [documentation here](http://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-mapping-template-reference.html#context-variable-reference) – MikeD at AWS Aug 28 '16 at 22:01
  • 2
    Great. Thanks! I have got _AccessKeyId_, _SecretKey_, _SessionToken_, _IdentityId_ after authenticating user with Facebook and getting AWS credentials from Cognito. Now, I guess I understood the whole procedure, except one thing: *After changing the authorization to AWS_IAM for API Gateway method, how should I send a REST request with authorization information.* I mean what and where should I include that information. In Request Header/Body and how? Thanks in Advance. – inblueswithu Aug 28 '16 at 22:18
  • Probably if I sign the requests manually using [Signature Version 4 Signing Process](http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html) may solve the problem. Right? – inblueswithu Aug 29 '16 at 00:07
  • 1
    Correct, you sign the request with sigV4. You can sign it yourself, use one of the existing libraries to sign it, or generate a client for your API Gateway and it will sign the request. – MikeD at AWS Sep 01 '16 at 23:54
  • Thanks! I was not able to find that _existing libraries_ to sign. Can you please give me a link? – inblueswithu Sep 02 '16 at 00:22
  • Are there any libraries that can do the signing? – azizj Jun 24 '17 at 21:51
  • @AzizJaved None that I know. But you can check the [client SDK](http://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-generate-sdk.html) generated by the API Gateway or the AWS docs on [how to sign](http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html) – inblueswithu Jun 28 '17 at 14:04
  • I've used SigV4 to sign an MQTT connection so I'm somewhat familiar. So what should be the format of my signed request? – MattyK14 Jul 27 '17 at 16:54
  • @MattyK14 You should probably refer the [docs](http://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html). If you already know how to generate a signature, [see this](http://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html) – inblueswithu Aug 21 '17 at 13:51