8

I am attempting to authenticate a REST API in AWS API Gateway, which is protected by AWS Cognito through the command line to do some security testing of the API. So, i'm supposed to send the authentication token to get an answer, except i just can't figure out how to get that token!

Our Cognito User Pool is configured for Authorisation Code Grant Flow and Implicit Grant, but not for Client Credentials. Everything I found out during my research was about Client Credentials, so if anyone had a command line that actually works with these parameters it would be really nice!

Arka Mukherjee
  • 2,083
  • 1
  • 13
  • 27
Tibo
  • 621
  • 1
  • 8
  • 24

1 Answers1

8

If you have a REST API in AWS API Gateway that has Cognito Authentication enabled, you would need to pass the JWT Token generated by Cognito in the HTTP Request Header. To retrieve the JWT Token, you could either try a login operation from the Cognito Hosted UI, or you could alternatively try the AWS provided InitiateAuth or AdminInitiateAuth API calls. To give further clarity, if you select the Implicit Grant Flow, you get only an ID Token and an Access Token back. However, if you select the Authorization Code Grant Flow, you get a code back, which you could convert to JWT Tokens while leveraging Cognito's TOKEN Endpoint. An example for the AdminInitiateAuth API call(via the AWS CLI) as stated in the AWS Cognito Documentation is given as follows: 

aws cognito-idp admin-initiate-auth --user-pool-id us-west-2_aaaaaaaaa --client-id 3n4b5urk1ft4fl3mg5e62d9ado --auth-flow ADMIN_NO_SRP_AUTH --auth-parameters USERNAME=jane@example.com,PASSWORD=password

These API calls/the Hosted UI Authentication Mechanism would give you an OIDC compliant ID Token and an Access Token after you login successfully. After you retrieve the Token, you could pass the token to the Token Source that you have set-up while creating the REST API Authorizer in AWS API Gateway. To know more about passing a certain parameter to a cURL request header, you could have a look at this StackOverflow question.

Arka Mukherjee
  • 2,083
  • 1
  • 13
  • 27
  • I tried your command, i'm getting an error : An error occurred (InvalidParameterException) when calling the AdminInitiateAuth operation: Auth flow not enabled for this client – Tibo Apr 19 '19 at 06:28
  • 1
    You would need to enable the required flow from the Cognito console. – Arka Mukherjee Apr 19 '19 at 06:30
  • After doing the Cognito+API Gateway Setup, I'm login into via the Cognito User Pool and getting the tokens. From this I take the access_token and pass it to the invoking url as a Header of form: -H"Authorization: Bearer blahblah". But it says "not-a-valid-key-value-pair-missing-equal-sign-in-authorization-header". What am I doing wrong? – user1452759 May 28 '19 at 15:35
  • @user1452759 Could you try POSTMAN once and let me know the results? Could be a mistake of the cURL query. – Arka Mukherjee May 28 '19 at 16:45
  • tried from postmane. Got the message = "not a valid key=value pair (missing equal-sign) in Authorization header: 'Bearer eyJraWQiOiJyTEtWMURvUEJwYnNUUzlZN1wvV2RqMkFyUlRSMXNtZWpPTWdCWW94bldtTT0iLCJhbGciOiJSUzI1NiJ". The equivalent curl is : curl -X GET \ https://.execute-api.us-east-2.amazonaws.com/beta/ \ -H 'authorization: Bearer ' \ -H 'cache-control: no-cache' \ -H 'postman-token: 3cd8bda0-443a-5c53-ae28-e1edd496aff6' – user1452759 May 28 '19 at 17:03