问题
I am using Spring Boot in my application. While searching for some IAM tools, I actually liked Auth0, but iam not affordable their pricing. So, I found another called AWS Cognito.
Below is Auth0 to restrict our custom access api
https://auth0.com/docs/api-auth/restrict-access-api
Currently, I am trying to restrict access API using AWS cognito, but I am not finding correct documentation to achieve this. Can anyone please tell me whether restricting api access can be possible using aws cognito.
回答1:
It depends on how much fine-grained control you want over the access to your api.
Allow or Deny Scenario
In some cases, you either want to block someone completely, or give them access to all of your api. In this all or nothing scenario, the simplest route would be to use Cognito User Pools on their own to authorize your users. Cognito User Pools is just used to authenticate the user (are they who they say they are), and to provide tools to make sign up, and sign in easier.
If the user passes authentication, then you can pass one of the tokens returned by cognito user pools (the identity token) to API Gateway. As long as you have set up your api methods to have the Cognito User Pools authorizer in API Gateway, then this is enough for them to accept the identity token as authorization to access the methods.
Fine-Grained Access
However, in other cases, you need more fine-grained control. You may want all authenticated users to have access to a certain subset of your api methods, but only admins to have access to more restricted methods.
In this case, you will also need to use Cognito Identity Pools, to define user roles (e.g. UNAUTHENTICATED_USER, PAID_USER, ADMIN etc), and their associated IAM roles, which will have policies that give them access, or deny them access to various parts of your api.
You then set the authorizer for your api gateway resources to be AWS_IAM (instead of Cognito User Pools as in the all or nothing example above). And API Gateway will use the role credentials obtained from the Cognito Identity Pool to determine if the current user's role has the permissions to access the requested resource.
For example, perhaps your PAID_USER user role, will have the following IAM role attached:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": "Allow",
"Resource": [
"arn:aws:execute-api:*:*:fjfkdlsjflds/*"
]
},
{
"Action": "execute-api:Invoke",
"Effect": "Deny",
"Resource": [
"arn:aws:execute-api:*:*:fjfkdlsjflds/*/admin/*"
]
}
]
}
This gives them access to your api, apart from the api methods (resources) that you have set up under /admin/.
I highly recommend this AWS reinvent talk on Serverless Authentication and Authorization, which goes over these options with some good examples.
回答2:
As I understand What you are trying to do is to resolve the authorization for your APIs. Cognito comes to picture in case of Authentication (Instead of your own database and user handling it supports everything). By using Cognito you can create a User pool and Identity pool to handle the User authentication and create the access token for the authorization for subsequent API calls. The following you need to do 1) Register with AWS Cognito and create a user management pool and Identitiy pool 2) Create a spring boot app (as you mentioned spring boot in your stack) for authentication. 3) Add spring security dependency 4) Register the appln as a resource app in COgnito 5) Do the authentication and return back the token you generated. 6) Create another application (for actual business you may have multiple microservices) 7) Register those spring boot app as resource server in cognito 8) Add the spring security dependency on the new app 9) Create a handler by extending WebSecurityConfigAdaper and override configure 10) Create a filter by extending OncePerRequestFilter 11) Authenticate the token by checking the claims 12) Restrict the API access to all calls in cofigure method of configurer
来源:https://stackoverflow.com/questions/61363833/how-to-restrict-custom-api-access-using-aws-cognito