Securing API Gateway using AWS Cognito.

Cognito User Pool

Amazon Cognito Account Pools lets users build and manage a profile registry and provides sign-up / sign-in to smartphone or desktop apps. Users can use social or SAML-based identity providers to sign in to a User Pool. It provides millions of users with a secure, easy, low-cost alternative, and scales.

You should incorporate improved security functionality for your application, such as multi-factor authentication and email/phone number verification. With AWS Lambda, you can configure the Amazon Cognito Account Pools workflows such as adding product-related logins for account authentication and fraud detection verification.

In First Step we will setup oAuth 2.0 using AWS (Cognito), which will help us generate scope based access tokens, which can be used to call the specific api.

Start with AWS Cognito User Pool:

Step 1: Log in to your AWS console and click on the services option and click on the Cognito then Select the manage user pool option as shown in the below image.

Step 2: click on the create a user pool button on the top you can see in the below image.

Step 3: give the name to your pool and click on the review defaults button as marked in the below image.

Step 4: After reviewing the details click on the create pool button.

Step 5: now we have to create the users and groups so click on the users and groups button on the left side of your screen as shown in the below image.

Step 6: click on the create user button marked below.

Step 7: set the username and password and write the email and then click on the create user button, you can see in the below image.

Step 8: our user is created now we have to get domain name, so click on the domain name option as marked in the below image.

Step 9: we have to get domain name, so click on the domain name option as marked in the below image and give the name and click on the save changes option.

Step 10: Now we have to create a resource server so select the resource server on the left side of your screen and then click on the add a resource server button.

Step 11: Now we have to create a App Client settings.

Our configurations for Cognito is complete and we have successfully created an authorizer, now we will move to Post and test api generated by cognito.

Below mentioned are the params for Api generated by Cognito.

1. url = {domain url generated by cognito}/oauth2/token
2. grant_type = client_credentials
3. client_id ={app client id generated by Cognito}
4. client_secret ={app client secret generated by Cognito}
5. scope ={name of Cognito app}/{name of scope}
6. method = POST

For doing that Goto AWS Console > Api Gateway > Create Api > Rest Api and click Built Button as shown below:

Step 1: Now we have to create a Authorizers.

Step 2: Now we have to create a GET method using Lambda Function as integration type.

Step 3: Now we have to go to Method request.

Step 3: Now we have to go to Method request and select Authorization as cognito Authorizer.

Step 3: Now we have Deploy API.

Step 4: Now we have to go on integration request.

Step 5: Now we have to go to Mapping Templates and go to Content type.

Step 5: Now we have to go to “Yes Secure this integration”.

Step 6: Now we configure POSTMAN.