Boilerplate feels incomplete (restricted area with cognito user pool authorization needed)

[kidsil]

Hey, I've been working with this boilerplate on and off, but it feels incomplete. Now that API Gateway allows Authorization via Cognito User Pools, I feel like there should be an example included of a restricted zone that is only accessible via a user pool user.

Serverless.yml supports this type of authorization, but I couldn't get it to work myself (otherwise I would've sent a Pull Request..).

[laardee]

@kidsil I've thought about it also and that would be a great feature. How far did you manage to implement it?

[kidsil]

Sadly not very far, I've tried over and over again to get a request through the Authorizer (following the docs) without any luck.

That's how the events portion of my main/serverless.yml config file looks like:

    events:
      - http:
          path: restricted
          method: get
          cors: true
          integration: lambda
          authorizer:
            arn: arn:aws:cognito-idp:AWS_REGION:AWS_ACCOUNT_ID:userpool/AWS_USERPOOL_ID
            resultTtlInSeconds: 0
            claims:
              - email
              - name
            identitySource: method.request.header.Authorization
            identityValidationExpression: .*

This might be useful, couldn't get much out of it though..

[laardee]

thanks, I'll try to take some time for this soon.

[kidsil]

@laardee I have a rough code sample done that is able to grab the Token ID (and Refresh Token, and Access Token) JWT: https://gist.github.com/kidsil/cb0112e912960f517d88c586e333bdc3

The only thing that's still not working is getting through the API Gateway Authorize (tried to use Header: Authorization: JWT_TOKEN, didn't work)

[kidsil]

Got it to work! Will update soon with a complete solution! The bug I had was somewhat unrelated: https://github.com/serverless/serverless/issues/3088

[laardee]

Great!

[kidsil]

I'm still not sure the best way to cache the Authentication Token & Refresh Token.

I guess I could put it in Local storage.. My gist works as is. Since I'm not sure in which way you'd like to integrate it into the repo, I'd rather leave it as is for now.

Let me know if you need any further help with integration.

On Jan 27, 2017 10:27, "Eetu Tuomala" notifications@github.com wrote:

Great!

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/laardee/serverless-authentication-boilerplate/issues/29#issuecomment-275622901, or mute the thread https://github.com/notifications/unsubscribe-auth/AAJdRs3I4zVZWV381Vw8xsCuTva6E4x6ks5rWbhpgaJpZM4LrCeM .

[kidsil]

Is the AuthorizationToken generated here https://github.com/laardee/serverless-authentication/blob/master/lib/utils.js#L112 related to the Authorization Token that is required by AWS API Gateway (when using User Pool Authorization)?