How to Secure AWS API Gateway using AWS Cognito OAuth2 scopes?
HTML-код
- Опубликовано: 8 сен 2024
- This video explains the environment setup for the blog / part-1-securing-aws-ap... . This video explains the client credentials OAuth2 grant. If you are looking for Authorization code grant flow, please refer blog : / part-2-securing-aws-ap... and RUclips video • How to setup OpenID Co...
#aws #amazonwebservices #openid #api #apigateway #authentication #iam #identity #security #cognito #awscognito #awsapigateway #amazoncognito #security
Please subscribe to this channel for regular updates ruclips.net/channel/UCEEayyyCrJO94FYlzF0NLTg
Thank You for the support.
You can also follow the step-by-step instructions for this video in this blog : awskarthik82.medium.com/part-1-securing-aws-api-gateway-using-aws-cognito-oauth2-scopes-410e7fb4a4c0
I've read the first few comments and I'm right behind them. This is exactly the kind of help I needed with Cognito and OAuth2. I did run into an issue and got it resolved by watching his newer (12/2021) video on OAuth2 Client Credentials.
I'm glad it helped.
The best video on the subject I’ve seen to date. Very clear and straightforward without unneeded priambulas
Glad it was helpful!
Super easy explanation!! keep posting more
Thank you. Sure, will do.
Great demonstration of using Amazon Cognito as an API authorizer. It clearly shows the mechanics between API Gateway, Cognito and your API implementation. Repeating the steps really helped to clarify.
Thanks Steve.
Thanks for sharing! This really helped me out of a bind with user management within my application. I was getting a "required scope" error and could not figure out why. Walking through this helped me troubleshoot by working backwards.
Glad it helped!
Very nice step by step guid for beginners
Thanks a lot
Superb .... Helped for my task ☺️
Glad it helped!!
Very clearly explained.. Well done.
Thank you
thank you for sharing!!
You are so welcome!
Thanks for the video - it helped me figure out how to setup client credentials flow in Cognito!
Glad it helped!
I looked for everywhere to catch this. Thanks a lot. Please do not stop due to the low number of subs. Just think they as super subs.
Thanks for the encouraging comment.
This was really helpful!
Thank you
Thank you so much you made my day
You are welcome!!!
What a wonderful tutorial video, helps me a lot, thank you so much!
Glad it helped!
nice explanation :) I appreciate your time. god bless
Glad it was helpful!
Great video
Thanks!
Thanks, Great!! Just follow the video like a piece of cake!
Glad you liked it!
This is exactly the help that I needed. Thank you very much!!
You're very welcome!
thanks, it is very helpful.
You're welcome!
Excellent step by step tutorial. Really helped me out!
Glad it helped!
This is great information, thanks for sharing. I am wondering if you can create 2 users, user-A can do the scope of product/read.create.delete and user-B can do customer/read.create.delete? On the example it seems every user in the same app would get the same scope. Thanks.
No, it is not possible at this point of time.
Thank you!
You're welcome!
Thanks bro
Welcome
Thanks
Welcome
Thank you so much! You just saved me lol
You're welcome!!
Cool.
Thank You
Great vid dude!!!!
Thanks!
Thanks for the video, just to understand it more, if I gave 100 clients with their 100 client app, do I need to create 100 user pool for them? Does AWS offers dev portal? Thansk
Hi Mike, you don't have to create 100 user pools for 100 clients. You can add multiple clients for the same user pools provided all these clients are accessible for the users belonging to this pool. If each client has a group of users i.e. a user can access only one client at any point of time, then it makes sense to have separate user pools for security purpose.
Hi Karthik,
very nice video thank you and excellent article. You have demonstrated applying security to 'api gateway resources' by creating your own.
I have deployed "spring boot" in ec2, which have the resources. I have setup the Cognito User Pool and API Gateway has the resource "/{proxy+}/ANY. In other words, the end point is already deployed to stage 'dev' and working.
How to apply the security for 'Create/Update/Read/Delete' for the resource "/{proxy+}/ANY". The ANY displays all the Request Method. Appreciate if you could share your thoughts. Thanks Govind
Hi Govind, you should create multiple methods in API Gateway and proxy each method to different endpoints in your spring boot application. did you already try that? Thanks Karthik
Hi Karthik , Thanks for the video and the medium post . it was super helpful . Have a question
- In Mobile App , is there any way to get this flow working without storing clientid/secret in the App
- what would be a best approach to use AWS services for unauthenticated mobile users
Hi Deepak, It is not safe to store client secret in mobile apps because it is a public facing app which can be installed by many users. You should use Authorization code grant flow with PKCE option for this. In this flow, secrets are generated dynamically for each request.
Refer tools.ietf.org/html/rfc7636 for more details. You can also checkout this video from Okta ruclips.net/video/5cQNwifDq1U/видео.html
Thanks @@securityinaction1018 , that was helpful
Thanks for the video. Do we have library for OWIN based integration with Cognito for ASP.Net projects
Thanks Abdul. I am not 100% sure about that. I know that AWS has SDKs for all the major programming languages like .Net, Java. But, I don't have knowledge on OWIN,
How do I add the scope depending upon the user, while generating the token ? I dont want to enter the scope maually.
Just to clarify, do you want to generate access tokens with different scopes depending on user attributes? If my understanding is correct, I don't think it is possible with Cognito. I have seen these type of features with other identity products like Auth0, ForgeRock etc. where different users will get different scopes in Access token depending on certain attributes like their group membership, department etc.
Access I'd created but when I passing using Authorization it is giving unauthorised error
Please make sure header name is Authorization, token is valid and has the appropriate scopes. You can use jwt.io to check the scopes.
Great video.
Is there a way that i can restrict access to API gateway for different user pool groups? (one user group should have access to particular api) Other group should have access to other set of API ?
It should be possible. In "Step 3: Configure Cognito Authorizer for API Gateway", you can try creating two Cognito Authorizers with different user pool. In Step 4, you can select different Authorizer for each API.
@@securityinaction1018 Thank you for the response.
I was looking more into one user pool which has 2 user group. A user from group has access to only A set of APIs, similarly B user from user group to B set of APIs
Thanks, Great!! How long does that token live?
As per documentation, looks like default timeout is 1 hour and it can be changed. Refer docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html
Hi , I Tried your steps and all is working as you have showed. But when i tried generating a jwt access token, I am not able to generate the Costume scope i am able to only get the scope as scope: "aws.cognito.signin.user.admin" is there any configuration to be done here?
I am not really sure about this issue. Please follow the exact instructions in that tutorial and it should work.
It was really a great Tutorial.
I have 4000 Users, Is it good idea to share the same clientId and secret to all? Or do I need to create 4000 Cognito User Pool to get all 4000 client secret and Id. Please help me to understand this. Thanks.
you need only one user pool man. As the name implies it a "pool" of users. Regarding cliendId and secret, they reside in server code and shouldn't be exposed to frontend. So technically for one application you'll have one clientId and secret.
@@mitsukiorichimaru4511 You tutorial sets the scope of the user based on secret and client. Based on user how can I specify scope? If you can clarify, that will be great. Also please some link to go through.
Thanks.
@@shahanshahali806 BTW it's not "my" tutorial. haha. Anyway, you don't seem to understand the oauth flow, Scope is requested by the application, not by the user, which means they are not user specific but are application specific. So for an application you have the same scopes for all users. Please refer the following videos to understand the oauth flow, ruclips.net/video/996OiexHze0/видео.html&ab_channel=OktaDev and watch this series ruclips.net/video/KT8ybowdyr0/видео.html&ab_channel=OktaDev
@@shahanshahali806 this tutorial is how to leverage the oauth flow provided by cognito. So you should have some background around oauth. Come back to this tutorial once you feel comfortable with the flow
@ shahanshah Ali This tutorial is based on client credentials grant which is used for machine-machine flows. Please refer this blog on how to get scopes for each user. AWS Cognito is not really flexible like other identity products like Okta, Auth0, ForgeRock or PingFederate. So, you can't solve all the use cases with Cognito.
how to integrate with spring boot security? please need video.
Do you want to integrate spring boot security app with AWS Cognito using Authorization code grant flow?
@@securityinaction1018 using spring security. Please advise, any latest code working.
@@shaivaljava401 There are some examples in different websites. Here are some examples :www.javainuse.com/spring/springboot-oauth2-client-grant and www.baeldung.com/spring-webclient-oauth2
Hi, the content is good, but a lot of background noise. and a very low voice. Not sure if it is your enter key or mouse. every second makes disturbing noise.
Thanks for the comment. I will try to improve the video and audio quality in future videos.
Why don’t you talk louder bro, your content is great but your volume makes difficult to follow along
Thanks for the feedback. This was my first video in YT and the quality of audio was pretty bad. I have made lots of changes over the years and you can see some improvements in the latest videos. I am continuously trying to improve the quality of the videos. Please keep sharing the feedback.