1

I am working on a web app where users can login/signup with their personal email addresses or login with federated identities like Facebook/Twitter. I have set up Cognito User pool and identity pool for the same.

After successful login , APIs hosted on API gateway would be invoked to display some data on the application. I would like to implement authorization for every API invoke call and return the response only for authorized users.

I have created User Pool Authorizer in API Gateway and I am able to authenticate users created in userpool based on the Id Token.

As per my understanding , to authenticate users from Identity pool , I can use AWS_IAM in Api Gateway. AWS_IAM may not be right solution for my application as API can be invoked by user in userpool as well as identity pool.

I am thinking of implementing authentication using Custom Authorizer using Lambda functions.

If custom Authorizer has to be implemented , should validating policy document based on the session token be sufficient to validate the users from both Userpool/Identity Pool? Kindly suggest alternatives for custom authorization,if any.

Thanks in advance

Rahul Vijayapuram
  • 53
  • 1
  • 1
  • 10

1 Answers1

0

Have you seen this blog post? https://aws.amazon.com/blogs/mobile/integrating-amazon-cognito-user-pools-with-api-gateway/

It's possible to directly integrate your Cognito user pools tokens as an authorizer for API Gateway, and it simplifies the flow you described greatly.

Jeff Bailey
  • 5,655
  • 1
  • 22
  • 30
  • Thanks for your input. I have already gone through this post, this is specific to authenticating users from Userpool only. But my application has users from userpool as well as Identity pool. – Rahul Vijayapuram May 25 '17 at 05:25
  • Ah, understood. Well, you could funnel user pools logins through your identity pool. It's possible to set it up as another provider parallel to Facebook, so both trade a token in for credentials. That would allow you to use the same authorizer. An APIGW team member wrote this answer that details it a bit: https://stackoverflow.com/questions/39184419/how-to-authenticate-api-gateway-calls-with-facebook/39185749#39185749 – Jeff Bailey May 25 '17 at 05:31