Login/Register
How to authenticate API Gateway calls with Facebook?
Asked Answered
Solved amazon-web-servicesauthenticationamazon-cognitoaws-api-gatewayamazon-cognito-facebook
F

1

12

Problem: I want to authorize my Amazon API Gateway hosted REST API users using Facebook Authentication.

My Understanding: I know Amazon Cognito can be used to authenticate users, calling as Federated Identities. Then, I saw Authenticate API Clients with Amazon Cognito Your User Pool, which authenticates for Cognito User Pool. I also found Use Amazon API Gateway Custom Authorizers, to use from custom authorization. But, I did not find to link API Gateway to authenticate using Cognito Federated Identities (i.e. Facebook here). Can we use same procedure as User Pool for Federated Identities as well or should I use as in Custom Authorizers ? I'm a bit confused. Any help is greatly appreciated.

Thanks in Advance.

Foetus answered 27/8, 2016 at 18:28 Comment(0)
R
15

Cognito federated identities and Cognito user pools address different use cases.

With Cognito user pools, you explicitly manage the users which can access your service. This is useful when you want to limit access to your API to a fixed set of users.

With Cognito federated identities, you delegate user management to an identity provider such as Facebook, Google, or Amazon. In that case, anyone with a user identity for your chosen identity provider can access your service. This is useful when you want to make your API broadly available, but still need to associate individual identities with your API users in order to manage per-user state or resources.

To use a federated identity, you set the API Gateway method to use “AWS_IAM” authorization. You use Cognito to create a role and associate it with your Cognito identity pool. You then use the Identity and Access Management (IAM) service to grant this role permission to call your API Gateway method.

Reviewer answered 27/8, 2016 at 21:5 Comment(11)
Also, Its not just authorization that I want, I also like to know who the user is? B'se I will have different results for different users on my API calls. My purpose is that I want to authenticate my users, so that I know who they are as well. From my understanding from your answer I can only see that we are authorizing users only.Foetus
Probably I may be wrong how and what Cognito does, please explain If I'm missing a point.Foetus
API Gateway passes through the user identity information via $context.identity.cognitoAuthenticationProvider, $context.identity.cognitoIdentityId, $context.identity.cognitoIdentityPoolId, $context.identity.user, and $context.identity.userArn. See documentation hereReviewer
Great. Thanks! I have got AccessKeyId, SecretKey, SessionToken, IdentityId after authenticating user with Facebook and getting AWS credentials from Cognito. Now, I guess I understood the whole procedure, except one thing: After changing the authorization to AWS_IAM for API Gateway method, how should I send a REST request with authorization information. I mean what and where should I include that information. In Request Header/Body and how? Thanks in Advance.Foetus
Probably if I sign the requests manually using Signature Version 4 Signing Process may solve the problem. Right?Foetus
Correct, you sign the request with sigV4. You can sign it yourself, use one of the existing libraries to sign it, or generate a client for your API Gateway and it will sign the request.Reviewer
Thanks! I was not able to find that existing libraries to sign. Can you please give me a link?Foetus
Are there any libraries that can do the signing?Endermic
@AzizJaved None that I know. But you can check the client SDK generated by the API Gateway or the AWS docs on how to signFoetus
I've used SigV4 to sign an MQTT connection so I'm somewhat familiar. So what should be the format of my signed request?Emigrate
@Emigrate You should probably refer the docs. If you already know how to generate a signature, see thisFoetus

© 2022 - 2024 — McMap. All rights reserved.