Passing Cognito JWT via Websockets

mrowles · March 9, 2019, 4:10am

I’m just really trying to figure out how serverless expects the Cognito auth token to be passed with a websockets connection.

I have an authoriser lambda on my websocket paths:

  connectionHandler:
    handler: handler.connectionHandler
    events:
      - websocket:
          route: $connect
          authorizer:
            arn: ${self:provider.environment.authoriserArn}
      - websocket:
          route: $disconnect
          authorizer:
            arn: ${self:provider.environment.authoriserArn}

I was wondering how I actually pass the token from the client over the connection in order for the auth to trigger correctly.

I’ve tried with rxjs websocket and with protocols, but not really sure how the authoriser should handle the request (I cannot see any token in the params passed in). I don’t believe we can add headers to websockets:

private setupWebsockets(token: string) {
    const subjectConfig: WebSocketSubjectConfig<any> = {
      url: 'wss://abcd1234.execute-api.ap-southeast-1.amazonaws.com/pre',
      protocol: [
        `${token}`
      ]
    };

    this.subject = webSocket(subjectConfig);

    this.subject.subscribe(
        (msg) => console.log('message received: ' + msg),
        (err) => console.error(err),
        () => console.log('complete')
      );
  }

Cheers

mrowles · March 10, 2019, 7:37pm

It actually doesn’t look like my authorizer is being created when I login and check it manually. When I try to, I cannot use Cognito directly. If this is the case, that we cannot use Cognito directly, it should state in the docs (https://serverless.com/framework/docs/providers/aws/events/websocket#using-authorizers).

castellanprime · March 15, 2019, 4:09pm

In my experience,
(a) Amazon Websockets does not support modifying the subprotocol as you are doing in your example, as shown here, https://forums.aws.amazon.com/thread.jspa?messageID=883536&tstart=0. That is why you are not seeing the token in your authorizer.
(b) Also your authorizer is not being created if you are using the latest version of severless(1.38). You might have to use the master. Full support for authorizer is for the 1.39 release.

mrowles · March 17, 2019, 7:16pm

Thanks! Looks to be the case https://github.com/serverless/serverless/issues/5910

Topic		Replies	Views
Cognito authorizer and websockets Serverless Framework api-gateway	0	1159	May 20, 2019
Serverless API Gateway Auth via Cognito JWT Serverless Framework	1	819	September 30, 2019
Cognito as Authorizer Serverless Framework aws , lambda , cloudformation , api-gateway	0	1314	August 18, 2023
How to make the HTTP Authorizer example work? Serverless Framework aws , api-gateway	1	633	June 30, 2020
Anyone have a good modern example of using a cognito user pool authorizer? Serverless Framework	4	4024	August 9, 2020

Passing Cognito JWT via Websockets

Related topics