Anyone have a good modern example of using a cognito user pool authorizer?


#1

I’m an AWS noob and am trying to set up a cognito user pool as an authorizer for my api-gateway lambda.

As far as I can tell the docs talk about about setting up the pool as an event source and I have not found a way to configure api-gateway. I expected it to be something like the cors: true setting where I’d just say authorizer: myPool … but I can’t seem to find an example.

I’ve searched around but strangely have not found exactly what I need. I see the references to aws_iam, user groups, etc. but am not sure how to get to the user pool.

Does anyone know where in the docs I can find that or of a blog post or something explaining it?

Thanks in advance.


#2

Little delayed in the response, hopefully you’ve figured this out since you posted, but I believe the answer you’re looking for can be found here. Scroll down to the part where it talks about the user pool.


#3

@bobbiebarker I have successfully protected an endpoint in my service following the example in that link by using a Cognito user pool arn. And by successfully meaning that once I request, I get back the message “Unauthorized”.

From what I’ve read I need to include a token received from logging in with Cognito in the request as an Authorization header. But when I do it does not allow me to reach the endpoint. What am I missing here?

This is my serverless.yml:

service:
  name: my-service

plugins:
  - serverless-webpack

provider:
  name: aws
  region: eu-central-1
  runtime: nodejs6.10


functions:
  create:
  handler: posts.get
  events:
    - http:
        path: posts/get
        method: get
        authorizer:
          arn: arn:aws:cognito-idp:us-east-1:xxx:userpool/us-east-1_ZZZ

And for the request I’m using Postman to include the Bearer token which results in a Authenitcation header like this:

Authentication: Bearer myTokenXXXXXXXXXXXXX

I’ve also tried removing the Bearer part from that header without any luck.


#4

Just fixed it! Turned out I was using the accessToken from the response of cognitoUser#authenticateUser where I should use the idToken :slight_smile: