Chalice: Authorizer/Cognito documentation lacking

Created on 3 Oct 2017 · 7Comments · Source: aws/chalice

I'm using the Cognito authorizer:
https://github.com/aws/chalice#using-amazon-cognito-user-pools

I'm at a loss on how to authenticate. Surely there should be an easy one-liner for a web redirect to an OAUTH page for users to signup/login?

documentation

Source

nitrag

Most helpful comment

I agree we should get our documentation updated. There's nothing in chalice right now that generates login pages for you. That functionality is provided by cognito user pools directly, but we may be able to make that easier.

As for as the cognito user pools authorizer, @wollerman is correct. The authorizer requires the jwt id token from the login process to be provided in the Auth header.

I typically use https://github.com/aws/amazon-cognito-identity-js/ (and its CognitoUser.authenticateUser) to handle the SRP auth portion, and then send the result.getIdToken().getJwtToken() to chalice.

Labeling this as documentation, we'll get our docs updated.

jamesls on 16 Nov 2017

👍3

All 7 comments

Yep. You could write a chalice app like this using the chalice.Response object to respond with a redirect to the appropriate webpage:

from chalice import Chalice, Response

app = Chalice(app_name='redirect')


@app.route('/')
def index():
    return Response(
        status_code=301,
        headers={'Location': '<my-oauth-page>'},
        body=''
    )

Let us know if that helps.

kyleknap on 4 Oct 2017

Yes that makes sense for general Oauth. But I'm talking about AWS Cognito. Can't we streamline the solution a bit more. Would be nice if I could just return a one liner that redirects user to Cognito Oauth and get's the appropriate keys.

I'd like to build an app with Chalice with some semblance of User Management. Where users could login/create account, save data, and display it. Thought I would be able to do this with Cognito...

nitrag on 4 Oct 2017

Here's what I'm looking for:

1) Add authorizer
2) Unauthorized users get redirected to generated Oauth page for signup/login
3) Once, authorized, easy ability to store variables for the user like here

nitrag on 8 Oct 2017

I agree the documentation is lacking on how to use Cognito. I think part of the confusion is because of the distinction between using Chalice for web based API access and the expectation of Chalice endpoints being used in the middle of a workflow that already has something like a Cognito JWT.

So to hopefully give an example of what I've gotten to work, my current approach has been to setup a test user and run something like:

from warrant import Cognito
import requests

# use warrant to authenticate a test user
u = Cognito('XXX_YOUR_USER_POOL_ID', 'XXX_YOUR_CLIENT_ID', username='test_user')
u.authenticate(password='testtest')

# now you can hit authorized endpoints from chalice that are backed by the cognito pool
r = requests.get('https://YOUR_CHALICE_REST_API_ID.execute-api.YOUR_AWS_REGION.amazonaws.com/api/',  headers={'Authorization': u.id_token})
print r.text

I think Chalice was meant to be placed into a workflow. By supporting the Cognito authorizer it allows for endpoints to be protected and return an appropriate API result based on the request.

@jamesls correct me if I've misspoke!

wollerman on 18 Oct 2017

@nitrag another example of using Cognito is in the Ionic AWS Starter. They give a lot of nice setup for getting a session. Then you can access the token directly and make API calls with session.getIdToken().getJwtToken(); just like in the user.ts file (I modified this to return the session object so that I have access to all tokens as needed). Something like:

import {Injectable} from "@angular/core";
import {Http, Headers, RequestOptions} from "@angular/http";
import 'rxjs/add/operator/map';
import {User} from "./user";

declare var AWS: any;
declare var AWSCognito: any;

@Injectable()
export class MyProvider {
  url;
  headers;
  options;

  constructor(public http: Http, public user: User) {
    console.log('Hello My Provider');
    this.url = 'https://MY_CHALICE_PREFIX.execute-api.us-west-2.amazonaws.com/api';
    this.headers = new Headers();
    user.isAuthenticated().then((res: any) => {
      this.headers.append('Authorization', res.getIdToken().getJwtToken());
      this.options = new RequestOptions({headers: this.headers})
    });

  }

  getMyPermissions() {
    return this.http.get(this.url + '/auth/my_permissions', this.options)
      .map(res => res.json())
  }

}

The Cognito SDK documentation is definitely lacking. Hopefully these quick examples of what worked for me will help others. Like I mentioned previously, Chalice makes the backend services extremely easy to implement, integrate with Cognito, and deploy. It's the rest of the spaghetti I've found unclear :D

wollerman on 27 Oct 2017

🎉2

As for as the cognito user pools authorizer, @wollerman is correct. The authorizer requires the jwt id token from the login process to be provided in the Auth header.

Labeling this as documentation, we'll get our docs updated.

jamesls on 16 Nov 2017

👍3

Updating link to active repo

https://github.com/aws-amplify/amplify-js/tree/master/packages/amazon-cognito-identity-js

josephpconley on 24 Jan 2019

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Support for container images

davidolmo · 3Comments

Is it possible to refer to os level environment variable in config.json

AtaruOhto · 3Comments

botocore.exceptions.EndpointConnectionError: Could not connect to the endpoint URL: "https://lambda.us-west-1.amazonaws.com/2015-03-31/functions/ayo"

whatsdis · 4Comments

Unable to run cron in local

adsahay · 4Comments

Return 201 (created) and set Location header

laolsson · 4Comments