Hi,
I’m using cognito as a authentication layer for a mobile app and I’m wondering if someone can recommend me a good example for implementing an authorizer function for API Gateway endpoints using the serverless framework.
By the way, the app uses facebook login and a regular email-password login (so cognito federated identities and cognito user pool is needed).
Thank you in advance!
Not sure if this is going to help you or not, but i have a full-on auth workflow (signin/login/reset password/) running in serverless. I originally used https://github.com/danilop/LambdAuth as a base for my methods. The version i used was outdated (not sure if its been updated since i got it), so i updated the lambda handlers to how i wanted them but kept the main logic. On my lambdas that require aws authentication i call sts to get temporary credentials and pass these credentials into the call to API Gateway. That library doesnt use facebook auth, it uses its own system. I still plan on adding facebook as an option, just havnt gotten there yet. The concepts remain the same though
If you have specific questions I would be happy to help. Its quite a process to get everything to work and to understand everything but i find that if you just start youll eventually get there 
We use Cognito as auth layer for our web app. You can see it here: https://github.com/keboola/developer-portal
This is authorizer function: https://github.com/keboola/developer-portal/blob/master/lambda/authorizer.js (I found it in some aws article, it is simply copied from it.)
And configuration in serverless.yml looks like:
functions:
authorizer:
handler: authorizer.authorizer
authProfile:
handler: auth.profile
events:
-
http:
authorizer: authorizer
method: get
path: auth/profile
I know that APIG supports “Cognito User Pool Authorizer” without need of special lambda function and Serverless should support authorizer definition by ARN (see https://serverless.com/framework/docs/providers/aws/events/apigateway/#http-setup-with-custom-authorizer-via-arn) but I haven’t tried it yet. So if you try, I will be happy to hear if it works. ;o)
(Here’s the article I refered to: https://aws.amazon.com/blogs/mobile/integrating-amazon-cognito-user-pools-with-api-gateway/)
Due to cognito documentation is terrible bad we spent to many time researching (our clients are mobile apps and website) and currently we are not planning to use cognito data sync
I finally ended implementing JWT for my endpoints by using a lambda custom authorizer.
In less than 2 days the authorization system was working.
The login endpoint had 900 milliseconds as a response time when used cognito, now it is 70 milliseconds by using JWT.
However we are using cognito for uploading data to S3. This has been solved by creating a endpoint that returns a token a the cognito identityId to clients.
Yup, it seems Cognito has out grown what it was initially designed for as a mobile solution. I see you already figured it out, but for anyone else looking to use Cognito as authenticators, here’s a quick step by step tutorial with the example serverless.yml config - http://serverless-stack.com/chapters/add-a-create-note-api.html#configure-the-api-endpoint
Can you please tell me how did you do your authorization system using serverless?
I tried implementing my own solution but I didn’t know what to do with bcrypt lib that I use to hash password.
@SamiSammour my post is more than 1 year old but at the time I used the node.js aws template called “custom authorizer” (it was available in create a lambda function web section).
In this case authorizers didn’t work as passwords. You should use tokens (google for JWT) so you don’t need that bcrypt lib in this case (you will use it only one time in login api endpoint).
If you read about api gateway authorizers you will understand the whole thing. Authorizers are “attached” to the endpoints that require the user to be authenticated. I’m pretty sure nowadays should exist npm libraries that implements custom authorizer for aws serverless.