Setting Up AWS Cognito Authorizer for API: A Step-by-Step Guide”

deepak kapse
7 min readSep 18, 2024

--

This project presents a step-by-step guide on setting up an AWS Cognito Authorizer for an API. AWS provides two main types of authorizers: Lambda authorizer and Cognito authorizer. This guide focuses specifically on the Cognito authorizer, a powerful tool for controlling access to APIs.

AWS Cognito: AWS Cognito is a service that simplifies user authentication and management, allowing developers to easily add sign-up, sign-in, and access control to their web and mobile applications.

API Gateway: API Gateway is a fully managed service that enables developers to create, publish, maintain, and secure APIs at any scale, acting as a gateway to back-end services.

Use Case Importance: A common use case for this setup is a scenario where only authorized users should be able to access an API. For example, consider an e-commerce application that exposes an API for managing user orders. By implementing a Cognito authorizer, access to this API can be restricted to authenticated users, ensuring that only authorized individuals can view or modify order information

In this article, you’ll learn

  • To seamlessly integrate AWS Cognito with API Gateway for robust API security
  • Step-by-step guide to setting up API Gateway for your services
  • Setup the configuration of Cognito User Pools for user management
  • Leverage Cognito Hosted UI for a sign in authentication experience
  • Implement an cognito authorizer to fortify your API endpoints
  • Discover how to set up a Lambda function triggered by successful logins
  • Hands-on testing with Postman to ensure your API is both secure and accessible.

Creating a Lambda Function

Create an API using API gateway

  1. Navigate to the Lambda service in the AWS Management Console.
  2. Create a new Lambda function:
  • Click on “Create function”.
  • Choose “Author from scratch”.
  • Provide a name for your function like here myHelloFunction and select a runtime (e.g., Python 3.8).
  • Click on “Create function”.

3. Add the function code:

  • In the Lambda function editor, add the following code:
import json

def lambda_handler(event, context):
return {
'statusCode': 200,
'body': json.dumps('Hello world from Deepak Kapse!')
}

4. Deploy the function by clicking on “Deploy”.

Set Up API Gateway

1. As the first step, Go to API Gateway and Click on create API

2. Select REST API

3. In the next screen, we select ‘New API’ and Provide a name for yourapi-lambda and click ‘Create API’.

4. Add a route:

  • Click on “Create method” and select “Lambda function”.
  • Click “Next”.

5. Deploy the API:

  • Click on “Deploy”.
  • In the real world, we use stages like dev, QA, demo, and production. But for testing here, we can use any name we want. Then click ‘Deploy’.
  • Then, you will be redirected to the following screen. This invoke url will be used in upcoming steps

As our Lambda and API Gateway is completed, we can now move forward. From this point onward, we will focus on setting up the Cognito user pool.

Create the Cognito User pool

1. Go to Cognito and click on ‘Create user pool’ to create a Cognito user pool. Here, There will be more setup options available for our preferences, but here we will only set up for learning about Cognito authorizer.

2. Select ‘Email’ and click ‘Next’.

3. Here, proceed with the default settings.

4. We select ‘No MFA’ and click ‘Next’. Here, again, proceed with the default settings.

5. Follow the steps as shown in the following figures

6. Click ‘Next’ with all the default settings.

7. Click ‘Send email with Cognito’ and then click ‘Next’.

8. Here, provide a name for the pool and check the ‘Hosted UI’ option. You can customize the Hosted UI if needed, but for now, let’s just use the default settings.

9. Select the options as shown in the figure.

10. Then, proceed with the default settings. Here, provide the app client name and paste the API invoke URL here in CallBack URL:

11. Here in the advanced app client settings, you must select the Authorization code grant. This selection enables us to practise more secure. Please select it as shown in the following figures.

12. Now review the settings and create the user pool by clicking on “Create user pool”.

13. Now, you should see that the Cognito user pool has been successfully created.

14. Inside the Cognito user pool, click on “App integration”.

15. Here, scroll down to view the list of app clients, then click on the desired client.

16. In the redirected screen, click on “View Hosted UI”.

17. Here, you can see the hosted UI. Now, we need to create a user.

18. In the Cognito user pool, click on “Create user” as shown in the following figure.

19. Fill in the information exactly as shown in the following figure, and then click on “Create user”.

20. You can check the user created in Users section

21. Now, in the hosted UI, enter the username and password you created for the user.

22. For the first time, you will need to change the password.

Now that we’ve completed the process of creating a Cognito user pool, let’s proceed to set up the Cognito authorizer.

Create the Cognito Authorizer and Set Up

1. Go to API Gateway and select the API that we created. Then, click on “Authorizers” in the left panel, and from there, click on “Create Authorizer”.

2. For the authorizer, provide a name and select “Cognito” as the authorizer type. Choose the user pool we created and give the token source name. Then, click on “Create Authorizer”.

3. Attach the Authorizer to the API route:

  • Navigate to the routes section and select the route to be secured.
  • Under the “Authorization” section, select the Cognito Authorizer created earlier.
  • Save the changes.
  • In API Gateway, click on “Resources”, then select “GET” as shown in the image. Afterward, click on “Method Request”, and then click on “Edit”.

4. Now, let’s check the authorizer token source as shown in the following. Paste the token we obtained from that URL.

  • If the token is correct, you will receive a 200 response.

Testing with login

Now, let’s return to login page. Attempt to retrieve the data with login. You should receive a response triggered from lambda function response

By following these steps, you’ve successfully established a Cognito authorizer for your API, a crucial layer of security to protect your application and its data.

--

--