Removal of User Authentication for custom API build - Cognito

[Komal-99]

Hi,

I was deploying the service for custom build and need to remove the user authentication, cannot find a fix for that. Anyone could help in disabling the cognito service to direct access the api for custom use case.

[knihit]

Hello @Komal-99 , thank you for reaching out. We have not tested this completely. But to start with there are few things you can do

1. Remove this line. This is a amplify authentication decorator.
2. On the ApiGateway remove the following line.

If these dont work, you can try removing request header for Authorization token as on this line. IMO, this change is not required, but if request validation fails, you may need to remove it.

Let us know if you face any issues.

[Komal-99]

Just to make sure , I Have followed this and updated mappings and then deployed it. I successfully got an API url but when I try to hit POST request from postman on that url to create case it returns a 403 error as message: forbidden.

So I am Guessing this is auth error as if we use it with UI, we need to first signup or login but from Postman I am directly making a request to create new case.

Do clarify me If I am thinking in a wrong direction.

[knihit]

Yes the API requires an Auth token header, generated by the Cognito service. You have 2 options,

1. if you want to remove the API Authorizaation, you can do so from AWS Console, navigating to ApiGateway, look up for Authorizer and delete the underlying configuration.
2. You can generate the id token. Refer this link.

If you are not looking to remove Auth permanently and only need to bypass for testing, I would suggest go with option 2.

Note: you can also test the API from the AWS console under ApiGateway. This way you would not require any authentication.

[Komal-99]

Yes, as my project already have user authentication , I need to remove this auth and directly hit the api

[knihit]

As a security best practice, you should have APIs protected with Authentication. Instead of using Cognito, if you have a different authentication provider, you can configure a custom authorizer and integrate it with ApiGateway. An ApiGateway endpoint is a public endpoint, unless you make it private link. For public endpoints anyone with information about the URL would be able to execute a GET/ POST request. So my suggestion would be to review your architecture from a security lens, for the need to have authentication for APIs too.

[knihit]

For security reasons, we cannot add a feature to remove Authentication. Hence will be closing the ticket. If you have any further questions. Feel free to re-open this ticket or create a new one.

[Komal-99]

No need to add a feature for removing authentication, the concern of this ticket was only to understand where we can tweak things as per our needs. and yes agree on the security concern, can you provide more details to configure the custom authorizer? For ex- I have Google auth when a user login on to my website and after that he is directed to the dashboard where he can perform operations out of them one will be to upload the documents and get text extraction done to get formated results and To make sure that only authenticated user who has access to my website can hit API.

[knihit]

You can configure Cognito with OAuth2.0 flow. Few changes to be made:

1. The App.js would look similar to the following link. This is from another solution.
2. In the account/ region where the solution is deployed, there would be a Cognito User Pool. This pool's configuration would need to be changed as here

[LakshyaN15]

Hi! The above template is the template we used on cloudformation. Under the Mappings section we configured RedactionWorkflow, CustomDashboard and WebApp as "No". Now we just want to call the API and we have removed the authorizers. Again, it gives Status Code 403: Forbidden.

Kindly Help!

[Komal-99]

Hi, We are not able to Fix the issue as of now. We have changed AuthorizationType from "COGNITO_USER_POOLS" to "NONE" and remove AuthorizerId key wherever specified in Mappings template. But still when deploying it creates a User. and shows this error at API URL and from postman passing {'caseName':"TEST"} giving 403 forbidden error. @knihit Please help us we are unable to understand out mistake.

[knihit]

There should a lambda function by the namerequestprocessor. Can you please check the logs. We pass the auth token to the lambda to extract the user. So when I tried removing the authorizer from ApiGW, I can see the request going to the lambda function, but it errors out because it expects a token

    at jwtDecode (/opt/nodejs/node_modules/common-node-lib/node_modules/jwt-decode/build/cjs/index.js:40:15)
    at exports.decodeJwtToken (/opt/nodejs/node_modules/common-node-lib/cognito/decode-jwt-token.js:25:16)
    at exports.getUserIdFromEvent (/opt/nodejs/node_modules/common-node-lib/cognito/decode-jwt-token.js:38:29)
    at exports.handler (/var/task/index.js:50:38)

Now you can remove the call to check the access token and retrieve the userId. An example of this call is here, but you are going into uncharted territory. The DynamoDB table design also takes into account the user information. Also note that anything which says SharedLib is under the lambda/layers/common-node-lib folder. IMO, using Federated sign-in would still be the easier option rather than removing Authentication.

Note: The application is designed to be user aware. It has to know if a user information was supplied as it is using that process to cases/ documents. If you remove Auth, you would somehow need to get a user dynamically or make it static.

[knihit]

Note that I close the issue, but you want to continue on this thread, please consider re-opening the ticket or creating a new issue.

[knihit]

In the UI, you would also need to change the following line to

export default App

basically removing the withAuthenticator call.