Securing APIs with AWS Cognito: A Beginner’s Guide

deepak kapse
8 min readAug 16, 2024

--

AWS Cognito: AWS Cognito is a service that simplifies user authentication and management, allowing developers to easily add sign-up, sign-in, and access control to their web and mobile applications.

API Gateway: API Gateway is a fully managed service that enables developers to create, publish, maintain, and secure APIs at any scale, acting as a gateway to back-end services.

Use Case Importance: Integrating AWS Cognito with API Gateway is crucial for securing APIs, as it ensures that only authenticated users can access sensitive data or functionality, enhancing the overall security and reliability of your application.

After a user logs in through Cognito, they receive a token that they can include in the “Authorization” header of their API requests to gain access.

In this article, you’ll learn how to seamlessly integrate AWS Cognito with API Gateway to secure your APIs. Follow along as we walk through the process of setting up API Gateway, configuring a Cognito User Pool, using Cognito Hosted UI for authentication, and implementing an authorizer for your API. We’ll also cover how to test everything in Postman to ensure secure and smooth API access.

Create an API using API gateway

Step 1: As the first step, Go to API Gateway and Click on create API

Step 2: Select REST API

Step 3: In the next screen, we select ‘Example API’ for our learning purposes. Alternatively, you can choose whatever suits your needs.

Step 4: Then, at the bottom, click ‘Create API’ with the default settings.

Step 5: Then you will be redirected to a page like the following. Now click ‘Deploy API’. From this deployment, we can access the API.

Step 6: In the real world, we use stages like dev, QA, demo, and production. But for testing here, we can use any name we want. Then click ‘Deploy’.

Step 7: Then, you will be redirected to the following screen. Click on ‘Copy Invoke URL’.

Step 7: For Testing, we can try browsing the invoke URL in browser, we can see the data from API

Step 8: For testing, we can also use Postman. When we trigger that URL, we can see the data from the API

So, this API is publicly accessible, but we want only authorized users to access it.
As our first task is completed, we can now move forward. From this point onward, we will focus on setting up the Cognito user pool.

Create the Cognito User pool and get token

Step 1: Go to Cognito and click on ‘Create user pool’ to create a Cognito user pool. Here, There will be more setup options available for our preferences, but here we will only set up for learning about Cognito authorizer.

Step 2: Select ‘Email’ and click ‘Next’.

Step 4: Here, proceed with the default settings.

Step 5: We select ‘No MFA’ and click ‘Next’. Here, again, proceed with the default settings.

Step 6: Follow the steps as shown in the following figures

Step 7: Click ‘Next’ with all the default settings.

Step 8: Click ‘Send email with Cognito’ and then click ‘Next’.

Step 9: Here, provide a name for the pool and check the ‘Hosted UI’ option. You can customize the Hosted UI if needed, but for now, let’s just use the default settings.

Step 10: Select the options as shown in the figure.

Step 11: Then, proceed with the default settings. Here, provide the app client name and enter the callback URL after successful login.

Step 12: Here in the advanced app client settings, you must select the implicit grant. This selection enables us to obtain tokens. Please select it as shown in the following figures.

Step 13: Now review the settings and create the user pool by clicking on “Create user pool”.

Step 14: Now, you should see that the Cognito user pool has been successfully created.

Step 15 : Inside the Cognito user pool, click on “App integration”.

Step 16: Here, scroll down to view the list of app clients, then click on the desired client.

Step 17: In the redirected screen, click on “View Hosted UI”.

Step 18: Here, you can see the hosted UI. Now, we need to create a user.

Step 19: In the Cognito user pool, click on “Create user” as shown in the following figure.

Step 20 : Fill in the information exactly as shown in the following figure, and then click on “Create user”.

Step 21: You can check the user created in Users section

Step 22: Now, in the hosted UI, enter the username and password you created for the user.

Step 23: For the first time, you will need to change the password.

Step 24: Then, copy the URL of the redirected page.

Step 25 : Paste that into any text editor and filter out the id_token as shown below:

Now that we’ve completed the process of creating a Cognito user pool and obtaining the token, let’s proceed to set up the Cognito authorizer.

Create the Cognito Authorizer and Set Up

Step 1: Go to API Gateway and select the API that we created. Then, click on “Authorizers” in the left panel, and from there, click on “Create Authorizer”.

Step 2: For the authorizer, provide a name and select “Cognito” as the authorizer type. Choose the user pool we created and give the token source name. Then, click on “Create Authorizer”.

Step 3: Then, click on the authorizer as shown in the following figure.

Step 4: Now, let’s check the authorizer token source as shown in the following. Paste the token we obtained from that URL.

Step 5: If the token is correct, you will receive a 200 response.

Step 6: In API Gateway, click on “Resources”, then select “GET” as shown in the image. Afterward, click on “Method Request”, and then click on “Edit”.

Step 7: Here, select the Cognito authorizer that we created for authorization. Also, check the box for “API key required”, then click on “Save”.

Step 8: Now, we want to deploy the API with the authorizer setups. Click on ‘Deploy API’.

Step 9: Here, select the stage and provide a brief description, then click on “Deploy”.

Here, Copy the Invoke URL for next step.

Testing with Postman

Step 10: Now, let’s return to Postman. Attempt to retrieve the data without a token. You should receive a response with a status code 401, indicating “Unauthorized”.

Step 11: Use the ID token obtained from the link. It’s advisable to log in again to the hosted UI to get a fresh ID token. Then, in the header, set “dev-auth-token” as the key and paste the ID token as the value. Trigger the API again, and this time you should receive a 200 response.

By following these steps, you’ve successfully established a Cognito authorizer for your API, a crucial layer of security to protect your application and its data.

--

--