GitHub - luciangutu/cognito_auth: Api Gateway endpoint that is authenticated against a Cognito User Pool and it's pointing to a Lambda that decodes the JWT received from Cognito at authentication and returns the email of the Cognito user.

Api Gateway endpoint that is authenticated against a Cognito User Pool and it's pointing to a Lambda that decodes the JWT received from Cognito at authentication and returns the email of the Cognito user.

Example:

take a look at config.py and update it accordingly
run the create_user.py to create a new Cognito user

python ./create_user.py 
{'User': {'Username': '4e13a754-28d3-4e67-a08e-5ce0c6fae306', 'Attributes': [{'Name': 'sub', 'Value': '4e13a754-28d3-4e67-a08e-5ce0c6fae306'}, {'Name': 'email', 'Value': 'lucian@example.com'}], 'UserCreateDate': datetime.datetime(2022, 1, 21, 16, 33, 51, 979000, tzinfo=tzlocal()), 'UserLastModifiedDate': datetime.datetime(2022, 1, 21, 16, 33, 51, 979000, tzinfo=tzlocal()), 'Enabled': True, 'UserStatus': 'FORCE_CHANGE_PASSWORD'}, 'ResponseMetadata': {'RequestId': 'abd2d63c-a1b7-4cc8-a31c-a476f81c68fc', 'HTTPStatusCode': 200, 'HTTPHeaders': {'date': 'Fri, 21 Jan 2022 14:33:52 GMT', 'content-type': 'application/x-amz-json-1.1', 'content-length': '309', 'connection': 'keep-alive', 'x-amzn-requestid': 'abd2d63c-a1b7-4cc8-a31c-a476f81c68fc'}, 'RetryAttempts': 0}}
{'ResponseMetadata': {'RequestId': '998cfb37-087d-4c84-bd8c-5d7c6d0add14', 'HTTPStatusCode': 200, 'HTTPHeaders': {'date': 'Fri, 21 Jan 2022 14:33:52 GMT', 'content-type': 'application/x-amz-json-1.1', 'content-length': '2', 'connection': 'keep-alive', 'x-amzn-requestid': '998cfb37-087d-4c84-bd8c-5d7c6d0add14'}, 'RetryAttempts': 0}}

run login.py to retrieve the JWT token from Cognito. This can and should be configured as an endpoint in Api Gateway.

python ./login.py 
eyJraWQiO...

call the Api Gateway endpoint that requires authentication

curl -X GET 'https://rkwq3kbkx4.execute-api.eu-west-1.amazonaws.com/test' -H 'Authorization: eyJraWQiO...'
{"response": {"resultStatus": "SUCCESS", "results": {"email": "lucian@example.com"}}}

Details:

login.py contains the solution for authenticating against Cognito User Pool with user and password (WITHOUT secret) Requirements:

Cognito User Pool
IAM access with permissions to Cognito (AWS keys)
Cognito App client without App client secret or with App client secret, but then the 'app_client_secret' variable from config.py must be set
Auth Flows Configuration enabled for all
Cognito App client settings with Sign in and sign out URLs, Authorization code grant
Allowed OAuth Scopes email and openid
Domain name
Api Gateway Authorizer pointing to Cognito User Pool

cognito.txt sequence diagram was generated from https://sequencediagram.org/

Name		Name	Last commit message	Last commit date
Latest commit History 10 Commits
App_client.png		App_client.png
App_client_settings.png		App_client_settings.png
Cognito.txt		Cognito.txt
README.md		README.md
api_gw_authorizers.png		api_gw_authorizers.png
config.py		config.py
create_user.py		create_user.py
diagram.png		diagram.png
lambda_api.py		lambda_api.py
login.py		login.py

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

App_client.png

App_client.png

App_client_settings.png

App_client_settings.png

Cognito.txt

Cognito.txt

README.md

README.md

api_gw_authorizers.png

api_gw_authorizers.png

config.py

config.py

create_user.py

create_user.py

diagram.png

diagram.png

lambda_api.py

lambda_api.py

login.py

login.py

Repository files navigation

About

Languages

luciangutu/cognito_auth

Folders and files

Latest commit

History

Repository files navigation

About

Topics

Resources

Stars

Watchers

Forks

Languages