Client certificate authentication with API Gateway and Cognito

0

This AWS blog talks about securing your API with mutual TLS. When I try to confgure a Lambda Custom Authorizer, I don't seem able to get the client certificate from the context properties - it seems to be missing. Is there some configuration that we are missing? Does anyone have an example please?

The blog also says "In addition to the initial mutual TLS authentication via client certificate, you can use all existing API Gateway authorizer options. This includes JSON Web Tokens (JWT)/Cognito user pool authorizers, Lambda authorizers, and IAM-based authorization." Is someone able to offer guidance on using JWT/Cognito user pool authorizers - in particular, how to pass the user identity to Cognito to get a JWT token? Or am I completely missing the point?

Thanks in advance, Kevin

1 Answer
0

There is a workshop that shows you how you can integrate Cognito User Pools with API Gateway - https://auth.serverlessworkshops.io/

Usually some front-end application like a Single Page App or a mobile app will use Cognito's Sign-up capabilities for creating users in the Cognito User Pool and then use Cognito's Sign-in capabilities to authenticate users using their username/passwords. Once the user is authenticated by the Cognito User Pool, a JWT token will be generated (can be identity token or access token) by the Cognito User Pool. The front-end application needs to pass either the identity token or the access token in the header of the API request made out to AWS API Gateway.

The documentation here talks about the Cognito provided UI as well as AWS Amplify/mobile SDKs for sign-up/sign-in using the Cognito User Pools - https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-integration.html

There is also documentation on APIs that can be used to achieve the same - https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/Welcome.html

This talks about using Cognito User Pools as an authorizer in API Gateway - https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html and https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-enable-cognito-user-pool.html

I would also recommend going through this blog to understand how Cognito User Pools and Cognito Identity Pools integrate with API Gateway - https://aws.amazon.com/blogs/compute/secure-api-access-with-amazon-cognito-federated-identities-amazon-cognito-user-pools-and-amazon-api-gateway/

profile picture
EXPERT
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions