https://serverless-stack.com/ logo
Join Slack
Powered by
Hello folks, so I have secured my API as per <http...
# help
e
Hello folks, so I have secured my API as per https://serverless-stack.com/examples/how-to-add-cognito-authentication-to-a-serverless-api.html and tested everything works ok using
Copy code
npx aws-api-gateway-cli-test
Now my question is do I make authenticated calls to the api from my client browser. I do not want to use Amplify. So far I have managed to login and fetch tokens using amazon-cognito-identity-js which is all very nice and gives me access+id+refresh tokens but once I have that how do I wrap things up to properly call the /private entrypoint in my API ? Thanks !
c
What authorization type are you using?
If you're using cognito userpools you can just make the request to the API and pass the userToken has a header in the request.
f
@Chad (cysense) thanks for the insight!
@Jay anything to add?
e
Yes I'm using Cognito user pools as per the example code but haven't figured out HOW to pass the token and do we agree it's the access token ? I'm testing with postman and so far no success.
c
Hmmm so I am using the IdToken
Also are you adding the Bearer on the authorization header?
So this is how I get the token:
Copy code
async () => {
    const authSession = await Auth.currentSession()
    return authSession.getIdToken().getJwtToken();
  })
And then in postman set the Authorization type as 
Bearer Token
and provide the 
idToken
e
So I have tried that already (and now again to double check) but without success, both with the Id and Access tokens. I checked the tokens on jwt.io and they are good and contain all the required info. So I'm wondering if it's something on the server side setup that expects another approach. The auth setting in the sample is 
defaultAuthorizationType: sst.ApiAuthorizationType.AWS_IAM,
is that appropriate ?
c
No, should be 
sst.ApiAuthorizationType.COGNITO
Sorry - thats for CDK. I think it is 
ApiAuthorizationType.JWT
in SST
@Frank mentioned in another Chat that they currently reviewing the 
JWT
authorization construct, so you would probably be better off using CDK for now instead of the SST Auth struct
Actually, 
AWS_IAM
should work if you've followed the tutorial. What error are you getting when you try to make an API request?
e
With your help I have managed to set it up with JWT tokens and connect. For others having similar difficulties : here's what my SST stack looks like now : 
_const_ auth = new sst.Auth(this, "Auth", {
cognito: {
userPool: {
signInAliases: { email: true },
},
},
});
_const_ api = new sst.Api(this, "Api", {
defaultAuthorizationType: sst.ApiAuthorizationType.JWT,
defaultAuthorizer: new HttpUserPoolAuthorizer({
userPool : auth.cognitoUserPool,
userPoolClient : auth.cognitoUserPoolClient
}),
And It passes through auth with both the access and ID token ! This will probably lead to other questions (around tying things up with IAM perms if possible, getting a unique ID forr the user if in the future we add social logins) but for now I'm happy that I can at least call my API šŸ˜‰ We could also investigate why it didn't work with AWS_IAM if I can help out with that. But I'm actually happy with JWT.
f
@Erik Robertson glad you are making some process with @Chad (cysense)ā€™s help. 
AWS_IAM
should definitely work. How are you calling the API in your frontend? If you are coming from the guide, this chapter has some code snippet.
h
@Frank @Chad (cysense)
Have the same issue. Same setup as the guide. Want to use AWS.IAM and not JWT. I can get the accessToken, refreshToken, idToken, etc, from the cognito user, but when I tried to call a private event in postman, configured with bearer token, I'm receiving a 'forbidden' message.
f
Hey @Henry Gomez can I see how you are setting the credentials in postman?
Also, did u grant the users permission to invoke the api, ie.
Copy code
auth.attachPermissionsForAuthUsers([api])
h
@Frank I ended up using JWT for one of my API stacks. Works perfectly and easy in postman as well. And for the API with IAM authentication, I use Amplify directly in the frontend side to manage the authentication. If you have a sample about how to connect to iam cognito auth without Amplify or if you could share postman settings to do it, would be super useful. Thanks
Open in Slack
PreviousNext
Powered by