Securing Your REST API with JWT Authorizers and Amazon Cognito

Most applications today expose an API to facilitate seamless interaction with their features and data. However, ensuring the security of your API is essential for various reasons:

1. Restrict Access to Authorized Users - Only authenticated users should have access to sensitive functions and data within your API, ensuring that internal information is protected from unauthorized exposure.
2. Control and Monitor Data Access - By enforcing authentication, you can prevent unauthorized access to data, allowing only verified users to make requests and interact with resources, which significantly reduces potential data leaks.
3. Protect Against Common Security Threats - Securing your API helps safeguard it from attacks like unauthorized data scraping, injection attacks, and brute force attacks, adding a critical layer of defense against malicious actors.
4. Ensure Data Integrity and Privacy - When users access your API, you want to ensure that their data remains secure and uncompromised. Proper security protocols help guarantee that data remains intact and private during transit.
5. Enable Scalability with Controlled Access - With secure API endpoints, you can scale your application more confidently, knowing that only authorized and authenticated users can access each part, reducing the risk of system overload due to malicious requests.

In this post, I’ll walk you through securing your API using JWT Authorizers and Amazon Cognito. But first, let’s clarify what a JWT is and why it’s crucial in securing APIs.

What is a JWT Token?

• JSON Web Token - A standard format for securely transmitting information between parties as a JSON object.
• Acts as a Secure Identifier for Authenticated Users - Think of it as a secure, encoded token that verifies the identity of authenticated users.
• Contains a Verifiable Digital Signature - Each token has a digital signature that our API can validate, ensuring the token’s authenticity and integrity.
• Provided by Authentication Services (e.g., AWS Cognito) - Services like AWS Cognito validate the user’s credentials at login and issue a token, which the user includes in every API request for continued access.

How to Set Up Authorization in AWS

Step 1: Create a Lambda Function

1. Start by creating a Lambda function in AWS. This function will handle your API requests.

Step 2: Set Up an API Gateway

1. Navigate to API Gateway in the AWS Console.
2. Create a new REST API.

Step 3: Connect Your Lambda to a GET Method

1. Select "Create Method" under your API.
2. Modify settings as highlighted below to connect your Lambda function to a GET method.

Step 4: Deploy Your API

1. Click on "Deploy API."
2. Create a new Stage if you don't already have one.

Step 5: Test Your API Endpoint

1. Copy the Invoke URL from your API.
2. Paste it into a browser to test the response from your Lambda function.

Adding Security to Your API

Step 6: Create a User Pool in Amazon Cognito

1. Go to Cognito in the AWS Console
2. Click Create user pool
3. For the Cognito user pool sign-in options, select Email
4. Click Next
5. For simplicity of this demo select No MFA
6. Click Next twice
7. For the Configure message delivery select Send email with Cognito
8. Click Next and give your user pool a name and also an app client name
9. Click Next and then Create user pool

Step 7: Create a test user

1. Click on your newly created user pool
2. Select Users and Create user
3. Create your user

Step 8: Set Up the App Integration

1. Click on your user pool that you just created
2. Click on App integration
3. Click on your app client that you created earlier
4. Click on Hosted UI
5. Add the following settings:
   • Callback URL: https://localhost
   • Sign-out URL: https://localhost
   • Identity provider: Cognito user pool
   • OAuth 2.0 grant types: Implicit grant
   • OpenID Connect scopes: Select all options
6. Click Save changes

Step 9: Create a Domain for Your User Pool

1. Go back to your main user pool page
2. Click on Domain --> Actions --> Create Cognito domain
3. Add the desired domain and check if it's available
4. Create it

Testing and Parsing the JWT

Step 10: Test your login with the Hosted UI

1. Go back to your main user pool page
2. Scroll down to the bottom to the App client list
3. Click on your app client
4. Scroll down to Hosted UI
5. To the right click on View Hosted UI
6. Login with the credentials that you should have got in the email that you provided earlier
7. If the login is successful you should come to your callback URL which is https://localhost

Step 11: Parse our JWT

Let's parse our JWT now and explore it.

1. Go back to your main user pool page
2. Scroll down to the bottom to the App client list
3. Click on your app client
4. Scroll down to Hosted UI
5. Right click on View Hosted UI and copy the URL
6. Open Postman (or a similar tool)
7. Create a new request
8. Click on Authorization
9. Give the token a name
10. Grant type: Implicit 11: Auth URL: paste the URL that you copied from the hosted zone 12: Click on the button Get New Access Token 13: Login with your user 14: Copy the id_token

Step 12: Exploring the Contents of Your JWT

1. Go to jwt.io
2. Paste your id_token
3. On the right side you'll see your decoded payload data

Securing Your API with the JWT Authorizer

Step 13: Create an authorizer

1. Go to your API that you created
2. For your GET method you'll see that you don't have any authorization added
3. To add this click on Authorizers on the left pane
4. Click on Create authorizers
5. Add the settings you see below
6. Create authorizer
7. You can now click on your newly created authorizer and test it in the console directly

Step 14: Now let's update our method with our new authorizer

1. Go back to your GET method in your API
2. On the Method request settings select Edit
3. On the Authorization select your newly created authorizer
4. Click Save and the redeploy your API

Step 15: Let's test our new API endpoint with our authorizer

1. Go back to Postman to your request and use your GET method and click Send
2. You should now get:

{
    "message": "Unauthorized"
}

But let's generate a token and then add a new Header:
Key: Authorization
Value: Your id_token

Click send and you should now see:

"Hello from Lambda!"

Conclusion

Congratulations! You’ve successfully secured your API using JWT authorizers and Amazon Cognito. This setup provides robust authentication, ensuring only authorized users access your resources. With stateless JWTs, your API scales effortlessly without session management overhead. Plus, strong API security builds user trust and helps meet compliance standards.

With this foundation, your API is more secure, scalable, and ready to grow alongside your application’s needs.