Few Words of Introduction
Authentication is required for most applications and it is a usual step in any development process. The implementation of security mechanisms is quite difficult and painful to do with one’s own hands. A much better idea than spending a lot of time building your own authorization is to get a ready-made solution… so why not try AWS Cognito? Can we do it without any source code lines?
Implementation of the Cognito is not very complicated while the security is provided by AWS security team and it therefore should be safe. Especially when we want to authenticate a simple application or share AWS services, for example S3 bucket or API Gateway services.
The initial requirement is to have an AWS account. Then we need to prepare two Cognito objects such as User Pool and Federated Identities and simple API Gateway endpoint for tests.
Authentication flow, in the following case, for communication between the client, the authentication mechanism and the services are presented by the below diagram:
We going to try and open the login page using predefined Cognito forms, obtain an AWS STS token, redirect user to API Gateway to execute Lambda function if the obtained AWS STS token is correct.
Let’s get Started…
To create a User Pool we have to go to AWS Console – > Cognito services and Create a User Pool:
Please, notice that what is important is the user status, i.e. FORCE_CHANGE_PASSWORD.
API Preparation for Tests
To test the API we have to create Cognito authorizer on API Gateway, Lambda and API Gateway endpoint for it and we should choose Cognito authorization method:
Finally we can and see if everything works. How do we test it? Let’s try Cognito endpoint and its methods documented on:
First, we have to invoke login url for our newly created Cognito Client and we then try to redirect it to our API Gateway or S3 bucket or other location. For security reasons Cognito does not allow every url for redirection, therefor we have to define it in App Client Settings.
Bear in mind that this article does not aim to build a fully secure authorization, this is only a sandbox to start with Cognito and get some basic knowledge about the Authentication process. Every security implementation should be carefully configured and fully tested because every small misconfiguration could have a dramatic impact on the application and AWS account security.
So, what did we Achieve?
We have secured our applications, API’s and other resources which is very important. Cognito can help us to achieve this process without any coding, not in all projects, but most of them. Another benefit is that if we have correctly implemented this process we can be secured from development mistakes because the Cognito service has been tested and widely used by AWS specialists and other clients.