AWS Cognito and AWS API Gateway

Let’s configure AWS Cognito to secure our AWS API Gateway.

Open AWS Cognito:

Create a default User Pool

After the pool is created, go back into the setup and create an app client

Update the App Client Settings

Add a domain to host your auth pages

Go back into “App client settings” and “Launch Hosted UI”.

Now to secure your API, within your AWS API Gateway configuration, create a Cognito Authorizer

Now secure an API endpoint by updating the “Method Request” of that method, You might need to refresh your browser to update list of authorizers.

Re-deploy the API and test the endpoint. You now get the following response

{"message":"Unauthorized"}

Let’s get a token. Go back to the Cognito HostedUI SignIn page and request a token by changing the “code” query string param to “token” because we’d like the Cognito service to return a token on successful login.

https://app2.auth.eu-west-1.amazoncognito.com/login?client_id=xxxxxxxxxxxx&response_type=token.....

on successful sign-in an id_token and access_token will be returned in the url. Retrieve the access_token.

To now access the secure endpoint, we now need provide an access token in the “Authorization” header

GET https://xxxxxxxx.execute-api.af-south-1.amazonaws.com/dev
Authorization: vLnNpZ25pbi51c2Vy...

We now get the response:

{"message":"Welcome to My Secure API"}

Done!