AWS Cognito federated identities + permanent access key for programmatic API

2
votes

I have an API service, which I'm going to deploy using AWS API Gateway with Cognito authorizer + Lambda as backend. This service will be used by our javascript client. Also, it should be exposed to end users as raw endpoints for programmatic access.

While it was quite easy to enable signup/login in js client using federated identities, I can't figure out the way to provide users with private access token to include directly in http headers.

Here are two authentication flows, I'd like to get in the end:

The flow for js client user:

  1. User signs up with Facebook or Google.
  2. User verifies his identity.
  3. After login, user goes to the Profile/API Keys section in the interface.
  4. User copies access token and can include it in http request header in any http client (httpie, curl, language libraries whatever)

The flow for admin created user:

  1. Admin creates user.
  2. Access token is generated for that user.
  3. Admin passes generated access token the user.
  4. User can include it in http headers to make request, as in previous flow.

An access token should be permanent, and can be regenerated by user at any time (think of Stripe API access keys).

The point here is to eliminate additional steps for the user to start using service programmatically. The closest thing in AWS docs so far is developer-authenticated-identities, but user should utilize AWS sdk anyway.

One possible way to accomplish this task is to use Custom authorizer instead of Cognito authorizer in API Gateway. Custom authorizer could implement logic based on e.g. auth header name and decide to either authorize in Cognito or to user API access token in database. I'm not sure, if it is possible, and if it is the major drawback is to reimplement Cognito authentication flow in lambda function.

The question is how can I accomplish such API access token (re)generation using Cognito or API Gateway?

1
amazon-web-servicesauthenticationaws-lambdaaws-api-gatewayamazon-cognito
First, access tokens from Cognito are not supposed to be permanent due to security reasons. Not sure what the issue is exactly. One can always write a script which requests Cognito for a token & programmatically include it in HTTP requests. Do you mean that user has to never sign in again after doing so once? If so, you can always use the refresh tokens to get fresh tokensagent420

1 Answers

0
votes

The first flow should be possible with User Pools. Cognito User Pools now has a federation feature where you can federate using Facebook/Google and receive access token/refresh token depending on the flow used.

For admin created user, the user would need to authenticate before tokens are issued but this can be achieved by creating the user with a temporary password and signing the user in with that password, after which it can be changed and logged in again to receive access/refresh token.

The refresh token use case is that it can be used against the Cognito APIs to receive a new access token. When the refresh token expires (default is 30 days but it is configurable), the user would have to authenticate again.