Secure API Gateway using Cognito Authorizer (NEW)

Рет қаралды 34,482

Жыл бұрын

Secure API Gateway using Cognito Authorizer
#aws #gateway #authorizer #authorization
Secure AWS API Gateway using Lambda Authorizer: • Secure API Gateway usi...

Пікірлер: 70

@NestorMartinez0820 11 ай бұрын

Hello, nice video bro.. I did all the steps in this video but im im getting the error:"Unauthorized" , i've did all steps, one by one, but im always getting: "Unauthorized" when i try to acces to API endpoint via access_token (Postman) .. the token seems to be ok, i've checked token string integrity (white spaces, or special chars).. any sugesstions? maybe a permission that im missing? please help me, thanks

@lovetocode4486 11 ай бұрын

Hi @Nestor, Theoretically it should work, if you follow the step. There is no specific permission for this scenario. Could you check the postman `key` you used? As example, the key should be match with the name you mentioned in the lambda authoriser. Please double check this point kzbin.info/www/bejne/b5TVhX93icRnq7s Still if you have a issue, please drop a email, I will contact you. johnsonp908060@gmail.com

@sebastienbolh210 10 ай бұрын

Yo! I got confused with this too. Make sure you're putting the access-token in the Headers tab, not the parameters tab.

@lovetocode4486 10 ай бұрын

@@sebastienbolh210 Thanks mate for helping out

@xXpiterXx95 9 ай бұрын

Hi, in my case I had to click Edit in Authorizer again and (the second time id(?) appeared next to user pool name) and it started working, also in the tutorial, initially there was no id next to the user pool in Authorizer, in the next shot it already appeared ;)

@lovetocode4486 9 ай бұрын

@@xXpiterXx95 thanks for sharing :)

@imvdmeer Жыл бұрын

Thanks for the demo, it inspired me for my own lambda project that currently uses a lambda authoriser with basic auth.

@lovetocode4486 Жыл бұрын

Great to hear! Thanks @Ivo :)

@noah-ms3ib Жыл бұрын

Great video, clear and to the point. Good explanations as well. Thanks!

@lovetocode4486 Жыл бұрын

Thanks Noah. Appreciated.

@user-dy5ps8mm1e Жыл бұрын

Great demo video. Keep it up. Thanks

@lovetocode4486 Жыл бұрын

Thanks.👍👍👍

@JohnsonPatrick-vg4nz Жыл бұрын

Great demo. Thanks

@lovetocode4486 Жыл бұрын

Thanks for watching!

@stephenlflf3871 11 ай бұрын

Thanks this is perfect for what I need to do which is setting up "database" + user login + a way to auto update my client using the gateway to link to a resource that I can change at anytime.

@lovetocode4486 11 ай бұрын

Cool. Great to hear. Thanks for the comment 👍👍👍

@enri2due 11 ай бұрын

Video is nice and clearly explained. I appreciated the Cognito Authorizer tests I've never used before. Thanks. Nevertheless I would add that "Implicit Grant" is not mandatory. Everything works fine also with Authorization Code that I am using to satisfy a requirements.

@lovetocode4486 11 ай бұрын

Great @enri2due. it was great news and really happy someone enjoy and get something out of it. Thanks.

@sunitakunwar4830 Жыл бұрын

Very nice and informative .Thank you so much.

@lovetocode4486 Жыл бұрын

Thanks Sunita.👍👍👍

@terwtata-jh8xm Жыл бұрын

Nice demo.thx

@lovetocode4486 Жыл бұрын

Glad you liked it!

@praji999 Жыл бұрын

Very simple and nice explanation. Thanks. Keep going!!👍

@lovetocode4486 Жыл бұрын

Thanks for the comment. Glad that helps you :)

@ol1175 Жыл бұрын

Amazing Video!!!

@lovetocode4486 Жыл бұрын

Thanks for the comment. :)

@balawalchaudry4127 8 ай бұрын

this was great, thank you! however i have a question. i have this API connected to my lambda function as a trigger, and i have a slack app which in event subscription, takes in an endpoint (in this case it is my newly authorized endpoint configured in my lambda function). however, because the API is protected, slack won't be able to verify it or access it. how can i enable slack to access this? thank you again for the video!

@lovetocode4486 8 ай бұрын

Hi balawal, Thanks for the comment. When you call the API, you need to pass the api-keys as we did on postman request. Do you get any errors in slack? You can enable logs on API gateway to see if the slack request is hitting or not

@abdellaouikhoubaib3987 9 ай бұрын

Best ever ❤❤❤

@lovetocode4486 9 ай бұрын

Cool. Thanks for comment mate

@carlosmedero2696 10 ай бұрын

Hey, I've one quick question. Api requests from localhost:3000 work fine without the cognito authorizer. But once I add it, I get a CORS error: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. The requests still work fine when done with Postman, even with the authorizer in place. Do you know how I may be able to fix this? Thank you!

@lovetocode4486 10 ай бұрын

Hi @carlos, Do you mean that you call the api gateway without any authentication and it works? > >> Api requests from localhost:3000 work fine without the cognito authorizer.

@lovetocode4486 10 ай бұрын

Please check all the headers in postman request . Then compare with http request you are trying in localhost. Let me know pls how are going. Thanks

@carlosmedero2696 10 ай бұрын

@@lovetocode4486 I ultimately checked headers in the Lambda response. I then deleted the current Options method and generated it again by enabling cors. I also didn't add an authorizer to the Options method, as I understand it does not need to have one. It then started working. Not sure which of these steps did it. But I'm ready to move on for now. lol Thank you! Reply

@lovetocode4486 10 ай бұрын

@@carlosmedero2696 great to see you make it work. Thanks :)

@guitaravind Жыл бұрын

Thank you for this demo. I have followed all of the steps in the video but am getting a 403 error when calling the REST API from Swift. I have tried everything I can think of as to why I am getting the error. Any suggestions or thoughts?

@guitaravind Жыл бұрын

When I test the API within AWS, I get a 200 response

@lovetocode4486 Жыл бұрын

Hi Duhkham, Did you use `access_token` not the `id_token` ? Please first try with Postman to check that is working. When you test the authorizer in AWS, you nee to use 'id_token` and test with Postman, then you need to use `access_token`. Let me know hot it goes.

@guitaravind Жыл бұрын

@@lovetocode4486 Yes I am using the Access Token, not ID Token in my code. I have to check in Postman. Will do so ASAP

@guitaravind Жыл бұрын

In Postman, I am getting an error which says "not a valid key=value pair (missing equal-sign) in Authorization header: 'Bearer"

@lovetocode4486 Жыл бұрын

@@guitaravind Looks like the value you are passing in the Postman is not in a valid format. Just open "headers" tab and add new key and value. The key will be describe as below. The value will be the "access_token" Could you please check the "token source" name match with the "header key" in postman? As per this video, it should be "auth-token". If you change the name of "token source" , the same name should be used in Postman.

@manishmarx 6 ай бұрын

If I want any production level apiS using apigatway need to be used by different client which further server their users using our API resources, in that case what approach should I take ? Do I need to secure gateway with API key ? which is not recommended because here is a expire token as well , we cant provide them new token every time or they need to implement coginito login from their backed side and opt to token from response . basically Idea is We have clients and in our DB we called it a company that company can have many users who uses our API or on a comapny can use our API and serve their users in that case I want allocate tken for comapny called secratekey using which they can access endpoints but to make it more secure we use coginot how can we achieve that or what should we do to achieve same . TIA

@lovetocode4486 6 ай бұрын

Hi @manishmarx, As I understood your question, The API Key alone is not good enough for authentication. Usually people use use combination of both API KEY alone with Lambda authoriser or Cognito Authoriser. With the authoriser you can authorise who can access the resources. API key can be used to throttle/limit requests per client. The Cognito authorise can be integrate with ADFS, OKTA like other Identity providers too. Simply if you want more fine tune authentication/authorisation, go ahead with a solution which have both API key + Authoriser

@ManishJindalmanisism 2 ай бұрын

HI. thanks for the video. In my lambda i want to read this token and get corresponding email id or username. Because i want to do some dynamic processing basis these. Can you tell how can this token be further used to scrap the email/username in Lambda?

@lovetocode4486 2 ай бұрын

Hi Mate, The Cognito token is a JWT token and it has three parts which are separated by dot (.). The whole token is encodes with base64. It is NOT ENCRYPTED. You just need to decode the second part which has the payload using Base64 decoder. You can find username, email etc information in the payload. I haven't tested this. But theoretically this should work. You can simply check this website to check the payload has what you are looking for. jwt.io/ Hope this helps. Let me know how this goes. Thanks

@ManishJindalmanisism 2 ай бұрын

@@lovetocode4486 I understand jwt token has the username email etc but the issue is - in lambda 'event' param is coming empty. If i print(event) in lambda its empty dictionary. So i am not sure how this token can be fetched in lambda

@lovetocode4486 2 ай бұрын

Hi Manish, Ok, got your question. If the token is not passed to the lambda, then you have to manually pass the token using template mapping. You can update the "Integration request" -> "Mapping templates" -> "Add mapping Template". This way, you can pass any headers from client to integration point. I have created a video on how to use "Template". Sure, this helps you. Please have a look. kzbin.info/www/bejne/pWqbooyLe7iEmMU Thanks

@ManishJindalmanisism 2 ай бұрын

@@lovetocode4486 Wow!! This was truly helpful. I was able to achieve what I want. Thanks a lot!! There are few observations : The tokens generated by CLI via admin-initiate-auth were not working. Not sure why. Access_token generated by UI browser as you have shown was working in postman. As per some documentation I read, you should use access_token for authorization and id_token to get values like email , username etc for further authentication in lambda. I passed access_token from my postman as authorization and id_token as separate header. Finally it worked!!

@lovetocode4486 2 ай бұрын

Great mate. Yes, the Id-token holds user information. Idtoken was introduced by OpenIdConnect. oAuth has access token. Glad that you made it work. Thanks. 👍👍👍

@jrleriche 5 ай бұрын

Hello Thanks for the video . But I do not see the link to the github repo for the code

@lovetocode4486 5 ай бұрын

Hi @jrleriche , For this tutorial, there is nothing much in terms of code. It has sample lambda function which returns a string. I pasted the sample lambda code for your reference. Hopefully you will like the "Lambda Authoriser" which has more code. Lambda authoriser video: kzbin.info/www/bejne/qIO0k4mAndGjeZY Lambda authoriser code repo: github.com/CodeSam621/Demo/tree/main/AWS-Gateway-Lambda-Authorizer Sample lambda code you were asking here: ----------- export const handler = async(event) => { console.log(f'event: {event}'); const response = { statusCode: 200, body: JSON.stringify("Hellow from Lambda") } return response; } ----------

@ashishpasi1524 Жыл бұрын

Can you create video for client credentials type machine to machine

@lovetocode4486 Жыл бұрын

Hi Ashish, I am not suite sure your question. BTW as I understood, you can use Lambda Authoriser to add any custom logic. So you can use client credentials with Lambda Authoriser. This may helps kzbin.info/www/bejne/qIO0k4mAndGjeZY Let me know how it goes.