How to use multiple Cognito user pools for a single endpoint with AWS API Gateway?

空扰寡人 提交于 2021-02-19 03:41:54

问题


I've recently implemented an API Gateway as a proxy with a single proxy endpoint.

I'm using Cognito as authorisation mechanism and as long as I have only one user pool everything is fine.

What I am trying to achieve is to be able to allow users from different user pools, but in the AWS Console I just seem to be able to select one Cognito mechanism which is only one user pool.

Is there a way to allow multiple user pool through another mean ? Is there an alternative best practice for this scenario ? I really need users to be in separate user pools so their authentication attributes are not shared and their accounts not mutualised.

Thank you


回答1:


As of today, the only viable solution to this problem seems to use a Lambda function to authorize users, retrieving their user pool ID in the token information and then comparing to it to a list of allowed user pools in order to give them access or not.




回答2:


The console doesn't allow creating multiple cognito pool users but the CLI does, I'm not sure if all programmatic updates (like terraform or cloudformation) can do it, but CLI worked for me. Try this: https://docs.aws.amazon.com/cli/latest/reference/apigateway/create-authorizer.html

Your CLI command might look something similar to this:

    aws apigateway create-authorizer 
    --rest-api-id xxxxxxx 
    --name 'cognito-auth-name' 
    --type COGNITO_USER_POOLS 
    --provider-arns arn:aws:cognito-idp:arn-of-userpool arn:aws:cognito-idp:arn-of-userpool arn:aws:cognito-idp:arn-of-userpool
    --identity-source 'method.request.header.Authorization'



回答3:


There are multiple ways of "Controlling and Managing Access to a REST API in API Gateway" and User Pool as Authorizer is one of them. In your case, I would go with IAM Permissions by attaching a policy to an IAM user representing the API caller, to an IAM group containing the user, or to an IAM role assumed by the user.

As a reference, I'm suggesting IAM Permissions instead of Lambda authorizers as I don't see a need to "control access to REST API methods using bearer token authentication as well as information described by headers, paths, query strings, stage variables, or context variables request parameters" in your request.




回答4:


I found Abhay Nayak answer useful, it helped me to achieve my scenario:

  • Allowing authorization for a single endpoint, using JWTs provided by different Cognitos, from different aws accounts. Using cognito user pool authorizer, not custom lambda authorizer.

Here is the authorizer and endpoint from my serverless .yml template:

functions:
  service:
    handler: service.service
    events:
      - http:
          path: service
          method: get
          authorizer:
            type: COGNITO_USER_POOLS
            authorizerId:
              Ref: ApiGatewayAuthorizer


resources:
  Resources:
    ApiGatewayAuthorizer:
      Type: AWS::ApiGateway::Authorizer
      Properties:
        AuthorizerResultTtlInSeconds: 300
        Name: API_AUTH_cognito_authorizer
        IdentitySource: method.request.header.Authorization
        RestApiId:
          Ref: ApiGatewayRestApi
        Type: COGNITO_USER_POOLS
        ProviderARNs:
          - arn:aws:cognito-idp:us-east-1:account1:userpool/userpool1
          - arn:aws:cognito-idp:us-east-1:account1:userpool/userpool2
          - arn:aws:cognito-idp:us-east-1:account2:userpool/userpool3
          - arn:aws:cognito-idp:us-east-1:account2:userpool/userpool4


来源:https://stackoverflow.com/questions/58453901/how-to-use-multiple-cognito-user-pools-for-a-single-endpoint-with-aws-api-gatewa

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!