How to use Cognito User Pool Authorizer with Amazon API Gateway?

Authorization Using Amazon Cognito User pool
Authorization using Amazon Cognito User Pool

In the previous post, we talked about the various ways you can use to manage access to the REST API. One of those ways was using Cognito User Pool authorization.

If you are using Amazon Cognito to control the identity management for your applications, the API gateway provides an easy way to authorize the actions using the Amazon Cognito user pools.  The tokens generated by Amazon Cognito will be validated when the request is made and access to the resource is only given if the token is valid and can be used. Before we explore an AWS SAM template that will implement this, let first define what are user pools.

Pre-requisite

The pre-requisite for this article is that you have a fully configured Cognito User pool to use and also have a barebone code to deploy to AWS. If you don't have the barebone code, you can use the barebone package for our Github hosted here.

What is an Amazon Cognito User Pool?

The Amazon Cognito user pool is a user directory. Your users can sign in using their username and passwords or the social identity providers like Google, Facebook, Amazon, or Apple, and SAML identity providers. Once a successful login is done, Amazon Cognito will generate a set of authorization tokens which can then be used to access the resources like API Gateway.

How to configure user pool authorization using AWS SAM?

Following is an AWS SAM template to deploy a Lambda function with API Gateway. We are also managing the access to the  API Gateway using the Cognito User Pools.

AWSTemplateFormatVersion: "2010-09-09"
Transform: AWS::Serverless-2016-10-31
Description:
  The barebone for aws lambda using koa and api gateway
Globals:
  Function:
    Timeout: 30
    Runtime: nodejs10.x
    MemorySize: 512
Resources:
  ApiGateway:
    Type: AWS::Serverless::Api
    Properties:
      Name: API
      StageName: Test
      Cors:
        AllowMethods: "'DELETE,GET,HEAD,OPTIONS,PATCH,POST,PUT'"
        AllowHeaders: "'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token'"
        AllowOrigin: "'*'"
      Auth:
        DefaultAuthorizer: CognitoAuthorizer
        Authorizers:
          CognitoAuthorizer:
            UserPoolArn: <ARN OF THE USER POOL>
        AddDefaultAuthorizerToCorsPreflight: False
  APIRoutes:
    Type: AWS::Serverless::Function
    Properties:
      CodeUri: "./src"
      Handler: index.handler
      Events:
        APIEvent:
          Type: Api
          Properties:
            RestApiId: !Ref ApiGateway
            Path: /{proxy+}
            Method: ANY

Most of the template mentioned above is pretty similar to what we have in our barebone repository to deploy an API gateway with Lambda. You have not seen that post, you can access it here.

The new part of this template is, we added a Auth property under the ApiGateway. We have defined an authorizer with the name as CognitoAuthorizer which will have the user pool ARN of the user pool we would like it to authorize against.

Deploy the API and give it a try. You will need an authorization token to access the API Gateway. Happy Coding.