Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

What is the recommended architecture for machine-to-machine authentication and authorization with AWS Api Gateway and Cognito?

0

I've developed an integration platform for a customer where their clients can get access to their own data, as well as my customers internal systems. The architecture consist of data in S3 and DynamoDB, authentication through Cognito and access via API Gateway.

All calls with be executed by M2M (machine to machine), which usually is handled by utilizing oauth2 with client id and client secrets. Since for Cognito you cannot create this for a user but only an app client, I have three user pools with app clients:

My customer's SAP S/4HANA instance My customer's SAP BTP instance My customer's API clients

The first two use app client id and client secret, but all external M2M's use Lambda Authrorizer function which returns IAM roles based on the group assignment in their user pool. This works very well, but I don't think it scales at it should. If one client should only have access to e.g api v1/products/get and another one also v1/products/patch I would need two different groups just for this scenario. Over the years, we would almost need one group per endpoint-method and each user would need to be part of several groups.

My question is: Is this a recommended/viable approach for M2M access or is there a better, more standard way of solving this? (e.g OpenId scopes..) It is important to provide a standardized way of authentiaction so that all kinds of systems can enable integrations to this platform. ClientId and Client Secret with token endpoint would have been the perfect option, but having hundreds or thousands of app clients in cognito doesn't seem right...

Topics
ServerlessFront-End Web & MobileSecurity, Identity, & ComplianceNetworking & Content Delivery
Tags
Amazon API GatewayAWS Identity and Access ManagementAmazon Cognito
Language
English
asked a year ago1.8K views
3 Answers
1

Correct . Hundreds or thousands of app clients in Cognito is not ideal.

your current approach with Lambda authorizer and groups for fine-grained access control has scalability limitations.

Recommended Approach

1/ OpenID Connect (OIDC) with Scopes: Define scopes representing specific API resources and operations (e.g., v1/products:get, v1/products:patch). Clients request access tokens with desired scopes during authentication. Groups can manage broader access levels (e.g., "Product Reader," "Product Admin") instead of specific endpoint permissions

Steps : a / Cognito User Pool: Create a single User Pool for all M2M clients. Enable OIDC Provider for the User Pool.

b/ Resource Server: Configure API Gateway as a Resource Server in Cognito.

c/ Client Applications (M2M):

Register each client application with Cognito as an OIDC Relying Party (RP). Clients request access tokens with desired scopes during authentication.

d/ API Gateway Authorizer:

Use a Lambda Authorizer function that validates the access token issued by Cognito. Verify if the token contains the required scope(s) for the requested API endpoint and method.

OR

2/ Using Custom attributes (Cognito User Pool)

You can define custom attributes in the User Pool to represent access permissions for specific endpoints. This approach is less standardized than OIDC but might be easier to implement for some client systems.

AWS
answered a year ago
0

Thank you for reaching out.

I understand that you like to enable authorisation on API Gateway using Amazon Cognito.

Going through the scenario shared I understand that Lambda authoriser appears to be a viable choice however, as you rightly pointed out this might cause bottleneck in context of scaling the solution. I would like to share that while cognito supports only client_id and client_secret using app integration with user pool, It allows you to create granular custom scopes which then can be configured under API Gateway method. Further your instances can obtain the access token with appropriate scope to access the required endpoints.

Benefits of using access tokens with scopes include but not limited to: Improved Security, Easy Integration, Dynamic Permissions, Credentials rotation, Revocation, Short term credentials,Fine-grained access control through scopes..

Further, I have found these articles that discuss about M2M authorisation [1][2].

I hope information proves to be helpful to you. Please consider reaching out to us via support ticket so that we can get better understanding of your resources and use case and assist you best.

References:

[1] Machine-to-machine identity management - https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/m2m-identity-management.html

[2] Scopes, M2M, and API authorization with resource servers - https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.html

AWS
SUPPORT ENGINEER
answered a year ago
0

You might also look at this new (July 2024) blog post: https://aws.amazon.com/blogs/mt/configuring-machine-to-machine-authentication-with-amazon-cognito-and-amazon-api-gateway-part-1/

AWS
EXPERT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content