serverless-authentication-boilerplate icon indicating copy to clipboard operation
serverless-authentication-boilerplate copied to clipboard
verified publisher icon laardee

Boilerplate feels incomplete (restricted area with cognito user pool authorization needed)

Open kidsil opened this issue 8 years ago • 8 comments

Hey, I've been working with this boilerplate on and off, but it feels incomplete. Now that API Gateway allows Authorization via Cognito User Pools, I feel like there should be an example included of a restricted zone that is only accessible via a user pool user.

Serverless.yml supports this type of authorization, but I couldn't get it to work myself (otherwise I would've sent a Pull Request..).

kidsil avatar Jan 23 '17 13:01 kidsil

@kidsil I've thought about it also and that would be a great feature. How far did you manage to implement it?

laardee avatar Jan 23 '17 19:01 laardee

Sadly not very far, I've tried over and over again to get a request through the Authorizer (following the docs) without any luck.

That's how the events portion of my main/serverless.yml config file looks like:

    events:
      - http:
          path: restricted
          method: get
          cors: true
          integration: lambda
          authorizer:
            arn: arn:aws:cognito-idp:AWS_REGION:AWS_ACCOUNT_ID:userpool/AWS_USERPOOL_ID
            resultTtlInSeconds: 0
            claims:
              - email
              - name
            identitySource: method.request.header.Authorization
            identityValidationExpression: .*

This might be useful, couldn't get much out of it though..

kidsil avatar Jan 23 '17 19:01 kidsil

thanks, I'll try to take some time for this soon.

laardee avatar Jan 25 '17 09:01 laardee

@laardee I have a rough code sample done that is able to grab the Token ID (and Refresh Token, and Access Token) JWT: https://gist.github.com/kidsil/cb0112e912960f517d88c586e333bdc3

The only thing that's still not working is getting through the API Gateway Authorize (tried to use Header: Authorization: JWT_TOKEN, didn't work)

kidsil avatar Jan 26 '17 13:01 kidsil

Got it to work! Will update soon with a complete solution! The bug I had was somewhat unrelated: https://github.com/serverless/serverless/issues/3088

kidsil avatar Jan 27 '17 09:01 kidsil

Great!

laardee avatar Jan 27 '17 09:01 laardee

I'm still not sure the best way to cache the Authentication Token & Refresh Token.

I guess I could put it in Local storage.. My gist works as is. Since I'm not sure in which way you'd like to integrate it into the repo, I'd rather leave it as is for now.

Let me know if you need any further help with integration.

On Jan 27, 2017 10:27, "Eetu Tuomala" [email protected] wrote:

Great!

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/laardee/serverless-authentication-boilerplate/issues/29#issuecomment-275622901, or mute the thread https://github.com/notifications/unsubscribe-auth/AAJdRs3I4zVZWV381Vw8xsCuTva6E4x6ks5rWbhpgaJpZM4LrCeM .

kidsil avatar Jan 28 '17 13:01 kidsil

Is the AuthorizationToken generated here https://github.com/laardee/serverless-authentication/blob/master/lib/utils.js#L112 related to the Authorization Token that is required by AWS API Gateway (when using User Pool Authorization)?

kidsil avatar Jan 29 '17 13:01 kidsil