Securing REST APIs in Amazon API Gateway using Amazon Cognito User Pools and OAuth 2.0

Say you have an API deployed on Amazon API gateway:

$ curl https://*******.execute-api.ap-south-1.amazonaws.com/dev
{
    "message": "Hello!"
}

Anybody can hit that URL & get a response. If you don’t want that, there are several ways to secure an API endpoint such that API Gateway won’t invoke the API unless the caller authenticates itself. One way to secure APIs is by using Amazon Cognito. Let’s see how to set this up for an app that intends to call a secure API.

We’ll begin by creating a Cognito user pool:

We’ll step through settings so we can customize them:

We don’t require any attributes since this pool will only be used by apps programmatically:

No need to allow users to sign themselves up:

No need to verify any attributes. We don’t intend to send any SMSes either:

Add an app client & create the pool:

Provide a domain name so we can fetch the tokens:

Add a resource server:

Enable the Cognito identity provider & the “client credentials” OAuth flow for the app:

Now let’s use this pool to secure the API. Back in the API Gateway console, create a new authorizer of type Cognito:

Now go into the Method Request of the method you wish to secure & change its Authorization from NONE to our authorizer:

Add OAuth Scopes:

Deploy the API & retry invoking it:

$ curl https://*******.execute-api.ap-south-1.amazonaws.com/dev
{
    "message": "Unauthorized"
}

There you go! It’s now secure!

Now let’s see how a legitimate app would invoke this API. The first step is to get the access token. Note down the client ID & secret from Cognito:

Get access token:

$ curl -X POST --user : https://secure-api.auth.us-east-1.amazoncognito.com/oauth2/token?grant_type=client_credentials -H 'Content-Type: application/x-www-form-urlencoded'
{
    "access_token": "*******",
    "expires_in": 3600,
    "token_type": "Bearer"
}

Invoke API:

$ curl https://*******.execute-api.ap-south-1.amazonaws.com/dev -H 'Authorization: Bearer '
{
    "message": "Hello!"
}

 

Harish KM is a Cloud Evangelist and a Full Stack Engineer at QloudX. Harish is very passionate about cloud native solutions and using the best tools for projects. This means that he is an expert in a multitude of application languages and is up to date with all the new offerings and services from cloud providers, especially AWS.

One Reply to “Securing REST APIs in Amazon API Gateway using Amazon Cognito User Pools and OAuth 2.0”

  1. […] This article describes how to secure an API in Amazon API Gateway. Here we’ll see how to invoke a secure API programmatically from Angular. […]

Leave a Reply