Using Cognito with C# serverless application

1
votes

I want to create a AWS serverless application that uses AWS Cognito for authentication. My starting point is the AWS Serverless Application with Tests (.NET Core) template for C# in Visual Studio 2017. When deployed the template creates some Lambda functions and sets up AWS API Gateway so that I can connect to the Lambda functions via REST requests. This works.

I have created a user pool in AWS Cognito, and a javascript client (a single page application) that lets the user sign in using AWS Cognito. In the javascript client I am able to connect to AWS Cognito and get id, access and refresh tokens as JWT. I can also sent these tokens in an Authorization: Bearer eyblablabla... header to the backend (the AWS serverless application). So the javascript client authentication and AWS Cognito setup appears to work. I have also in AWS API Gateway set up an authorizer that points to the AWS Cognito user pool.

My problem is the following: The backend does not appear to be aware of the authorization header. When examining the request I do not get any claims for the user. I am specifically interested in getting the sub claim so that I can identify the user. Also, I would like the API gateway to automatically send a Unauthorized response for specific methods, but I do not know how to set that up.

As part of the Lambda function signature I get a APIGatewayProxyRequest request object. Apparently the request.RequestContext.Authorizer.Claims should contain the user claims, but the .Authorizer is null.

I am able to get any JWT that I send from the javascript client y reading the request header, so I could parse the token to get user claims. But I figure there must be something wrong with my setup since the .Authorizer does not get populated.

Only suggestions I have found so far involve stuff in a serverless.yml or Swagger template file, neither of which is part of the AWS Serverless Application VS2017 template. Instead I have a serverless.template JSON file, and no obvious way to add authentication / security setup to that file.

My code is so far identical to the AWS Serverless Application template in VS2017.

Any help will be strongly appreciated.

1
c#aws-lambdajwtaws-api-gatewayaws-cognito

1 Answers

0
votes

You need to enable Use Lambda Proxy integration in the API Method Integration Request. Your APIGatewayProxyRequest object will then look something like this:

{
"Resource": "/test",
"Path": "/test",
"HttpMethod": "GET",
"Headers": {
    "Accept": "*/*",
    "accept-encoding": "gzip, deflate",
    "Authorization": "your token",
    "cache-control": "no-cache",
    "CloudFront-Forwarded-Proto": "https",
    "CloudFront-Is-Desktop-Viewer": "true",
    "CloudFront-Is-Mobile-Viewer": "false",
    "CloudFront-Is-SmartTV-Viewer": "false",
    "CloudFront-Is-Tablet-Viewer": "false",
    "CloudFront-Viewer-Country": "US",
    "Host": "xxxxxxx.execute-api.us-east-1.amazonaws.com",
    "Postman-Token": "08820d50-c5d4-498a-bfee-c76994bb91f1",
    "User-Agent": "PostmanRuntime/7.4.0",
    "Via": "1.1 dd169cfdbbafbb3da513bede6bc6640e.cloudfront.net (CloudFront)",
    "X-Amz-Cf-Id": "89ftx9aaVK0k2KOFu-5QESLXzGUGAw17gNCCY03in-hF2hd-LvRhIg==",
    "X-Amzn-Trace-Id": "Root=1-5c125bb9-1e8b9fea8d1beb20147a24d2",
    "X-Forwarded-For": "50.196.109.21, 70.132.33.133",
    "X-Forwarded-Port": "443",
    "X-Forwarded-Proto": "https"
},
"QueryStringParameters": null,
"PathParameters": null,
"StageVariables": null,
"RequestContext": {
    "Path": "/test_oauth/token",
    "AccountId": "xxxxxxxxxxxxx",
    "ResourceId": "luy67k",
    "Stage": "test_oauth",
    "RequestId": "5455133d-fed9-11e8-8f41-ef35907ced2d",
    "Identity": {
        "CognitoIdentityPoolId": null,
        "AccountId": null,
        "CognitoIdentityId": null,
        "Caller": null,
        "ApiKey": null,
        "SourceIp": "50.196.109.21",
        "CognitoAuthenticationType": null,
        "CognitoAuthenticationProvider": null,
        "UserArn": null,
        "UserAgent": "PostmanRuntime/7.4.0",
        "User": null
    },
    "ResourcePath": "/token",
    "HttpMethod": "GET",
    "ApiId": "8xxg9ez961",
    "Authorizer": {
        "claims": {
            "sub": "4560ac4b-54a0-4184-8831-e3cb2583726b",
            "aud": "xxxxxxxxxxxxxxxx",
            "email_verified": "false",
            "event_id": "467633ad-fed9-11e8-88ff-25be6cd15697",
            "token_use": "id",
            "custom:ApplicationId": "12345",
            "auth_time": "1544706978",
            "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-xxxxxxxxx",
            "cognito:username": "username",
            "exp": "Thu Dec 13 14:16:18 UTC 2018",
            "iat": "Thu Dec 13 13:16:18 UTC 2018",
            "email": "[email protected]"
        }
    }
},
"Body": null,
"IsBase64Encoded": false
}

Please note, you'll find you get different values if your API Gateway is setup to use the id token vs an access token (which is a difference in using custom OAuth Scopes or not in your API Gateway setup). You'll also find the results depend the settings for your User Pool App Client- which Allowed Oauth scopes are enabled as well as which attributes are enabled for your App Clients.