API Gateway Cognito Authorizer using Client Credentials – Part II
In part I of this article, we configured our User pool, and learnt how to create an Access token for User pool with Client Credentials. In this part, we will configure an API Gateway API to use this User pool as Cognito Authorizer. The API here can be of any REST type i.e. Regional, Edge Optimized, and even Private API. Let’s begin!
Configure an API Authorizer
- In your API Gateway console, create a new API. If you have an existing API, you can use that too. Here we will consider an Example API (PetSore API) provided by API Gateway.
- Create at least one method i.e. GET/POST/DELETE. The PetSore API has GET, POST and OPTIONS methods. From these we will set up GET method with authorizer.
- From left navigation panel, go to Authorizers > Create Cognito authorizer > specify a Name for authorizer, select Cognito for Authorizer Type, select the User pool we created in Part I, and Token Source, and click Create.
- Once the Authorizer is created, refresh the page as the Console does not auto-populate the authorizer in the Method request block.
- Click Resources > open the Method Request block.
- Here you will select the Authorizer we created in the above step, and then specify OAuth Scopes. The scopes here are the ones we created in part I.
- Deploy the API, and now we are ready to invoke it.
As the API is now secured with an API, we will need to pass in the token in the request header. The header name is decided by the Token Source in step 3 above. Similarly the token can be generated as per the step 6 mentioned in part I.
Test the API
Assuming you have an access token generated, you can then access the API like this:
$ curl -H "Authorization: <access_token>" https://{restapi-id}.execute-api.{region}.amazonaws.com/{stage}
Note: If you are using a Private API, and as we haven’t covered the vpc endpoint related configurations here, you should use an EC2 instance for accessing the API.
Appreciating the hard work you put into your blog and detailed information you offer.
It’s nice to come across a blog every once in a while that isn’t the same old rehashed
information. Fantastic read! I’ve bookmarked your site
and I’m including your RSS feeds to my Google account.