I

Secure API Gateway with Amazon Cognito

Oauth 2.0 Implicit Grant flow demo: Secure API Gateway with Amazon Cognito Authorizer and Extract JSON Web Token (JWT) to Analyze Security Risks and Potential Exposure of Personally Identifiable Information (PII)

Introduction

The OAuth 2.0 authorization framework is a protocol that allows a user to grant a third-party web site or application access to the user’s protected resources though the use of short-term credentials (web tokens). Instead of sharing long-term credentials such as passwords with the third-party app, OAuth 2.0 utilizes JSON web tokens (JWTs) to delegate granular permissions and authorize specific actions.
OAuth 2.0 supports several grant types, or “flows” which are used to authorize access to protected resources in different ways. In this example, we will examine using implicit grant to obtain web token, and analyze security risks associated with implicit grant that can lead to broken access control, such as token stealing, session hijacking, and potential disclosure of sensitive information.

Description

In this demo, We will create an Amazon API gateway, integrate it with a Lambda function, and then configure a Cognito Authorizer to limit access to only authenticated users. After the Cognito Authorizer is attached to the API Gateway, a valid JWT must be included in the header of all subsequent API calls to prove that the user making the API call has been properly authenticated and has appropriate permissions to access the API.

Web Services Used

• Amazon API Gateway
• Amazon Lambda Function
• Amazon Cognito
• Postman.com
• jwt.io

We will use Amazon Web Services (AWS) to illustrate OAuth 2.0 implicit grant work flow, jwt.io to decode and display the plain-text JSON web tokens, and Postman.com to test access controls to the API Gateway.