API Gateway and Cognito Authorization in Lambda Function


I am currently working on a web application that has the following setup:

  • Backend written with Serverless, using API Gateway and Lambda functions that access DynamoDB
  • Frontend with Angular2 hosted on S3 bucket consuming REST webservice exposed by API Gateway
  • AWS Cognito for user management (and Cognito authorizer)

Now I was wondering if I really have to use the AWS Cognito Identity JS SDK for login/register/etc on the clientside. I think when providing additional endpoints via the REST API with API Gateway to allow login, register, etc. would result in a more consistent API without the need to include Cognito SDK in every application. My frontend would then just send userdata (username and password) to a public HTTPS endpoint /login within my API Gateway and the lambda functions forwards the userdata to cognito. On positive authorization I can return a JWT token generated from Cognito from my Lambad function that can be used for any further authorized requests (added to authorization headers on client side).

Does this approach leads to any security concerns compared to client side Cognito authentication directly in the frontend? So far, I have not found anything related using a lambda function to get JWT token from Cognito.

Thanks in advance for your opinions

1 Like

you able to find answer for your question ? I had same question.

Below URL says The password features use the Secure Remote Password (SRP) protocol to avoid sending cleartext passwords over the wire. so SDK uses SRP protocol which is more secure …

what is the best practice?

Still not sure on this. And you are right, the quote with SRP makes me wondering if my approach is really a good idea to go.

I have opened below issue with AWS lets see what they suggest …