Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Control access for invoking Rest API in API Gateway

0

I have several API gateway resources which I want to allow other services to invoke them.
Say I have these two endpoints:
/tasks
/setting
My clients are some services, they invoke these Rest APIs like the following request: (It is written in Javascript, but they can use any other programming languages, but can't use AWS SDK)
fetch('.../tasks')
.then((tasks) => {
console.log('Tasks:', tasks)
});
I need to check client's permissions as they're calling my API. When a service send a request to /tasks, I should check its permission and see if it doesn't have the required permission, I will return 403 as response.
I want to know what it the best approach to implement it? Should I use AWS Cognito User pool integrated with Identity pool or a Custom authorizer?
If my question is not clear as enough, please comment it, I'll give more information.
I hope someone has related experiences and could help me.

Edited by: Farzan on Jan 25, 2020 4:10 AM

Edited by: Farzan on Jan 25, 2020 4:25 AM

Argomenti
Sicurezza, identità e conformità
Tag
Amazon Cognito
Lingua
English
Farzan
posta 4 anni fa352 visualizzazioni
4 Risposte
0
Risposta accettata

When you define app client settings in your pool you can define which scopes the client will be allowed. The scopes you defined for your resources should appear under "Allowed Custom Scopes". In that case the clients will have not access to more scopes than what you defined. They could ask for it, but they will not get it.
There is also this article published in knowledge center that explains the process better end-to-end https://aws.amazon.com/premiumsupport/knowledge-center/cognito-custom-scopes-api-gateway/

anzap
con risposta 4 anni fa
profile picture
ESPERTO
Giovanni Lauria
verificato un mese fa
0

Hi Farzan,

You could do what you want using Cognito user pools by defining app clients, Resource servers and scopes. You can then secure your apis in AWS API Gateway using CognitoUserPoolAuthorizer and previously defined scopes on resource methods.

Check https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.html and https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-enable-cognito-user-pool.html

anzap
con risposta 4 anni fa
profile picture
ESPERTO
Giovanni Lauria
verificato un mese fa
0

Thanks for your help.
But I think in that case my clients can ask for any scopes they want and I'm not able to control whether the requested scopes are accessible for them or not.

Farzan
con risposta 4 anni fa
0

I haven't known about this feature. Thanks a lot for your help.
Very useful..

Farzan
con risposta 4 anni fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente