A Cloudformation template to example an API-Gateway+Lambda authenticated with Cognito User-Pool.
- AWS CLI Cloudformation
- SAM CLI
- SignupURL:
- UI to signup new users
- AppClientId:
- Cognito App Client ID
- GetTokenURL:
- API endpoint to generate Access Token
- SampleApiURL
- Example of API Endpoint to test auth
- Deploy using one of the options above
- Sign up new user
- Navigate to user-pool console, and confirm the user
- Navigate to user-pool console, and custom account-id to the newly created user
- optional - instead of account-id, groups can be used.
- Generate Access Token using the
Get Access TokenCURL Example - Call Sample API using the
Access Tokenand theSample APICURL Example
- Signup + Confirmation can be automated using scripting over lambda (after signup)
- JWT Access token contains the Username and any group assigned to it. This is public info so use with care
Get Access Tokenendpoint better be wrapped with own service. mainly in order to keep the Cognito'sClientIdsecured.
Values to replace:
<GetTokenURL><USERNAME><PASSWORD><AppClientId>
curl --location '<GetTokenURL>' \
--header 'X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth' \
--header 'Content-Type: application/x-amz-json-1.1' \
--data-raw '{
"AuthFlow": "USER_PASSWORD_AUTH",
"AuthParameters": {
"USERNAME": "<USERNAME>",
"PASSWORD": "<PASSWORD>"
},
"ClientId": "<AppClientId>"
}'
Values to replace:
<AccessToken><SampleApiURL>
curl --location '<SampleApiURL>' \
--header 'Authentication: <AccessToken>'