Tutorial: How to add security to a REST API using JWT Authorizers and Amazon Cognito | JWT Token

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] foreign on how to add security to a rest API using JWT authorizers and Amazon cognito so why add security to our API well first you'll want to limit access to only authorized users this ensures that any secure data in our internal systems are protected from being publicly accessible also when integrating with front-end UI we can lock down requests only made from authenticated users so one way to do this is to use JWT tokens to secure an API so what is the JWT token it stands for Json web token think of it like an encrypted file that is used to identify authenticated users this token will have a valid digital signature that can be verified by our API authentication providers like AWS Cognito would validate a user based on their login and provide a token back that is passed along with all API calls made by that user so now that we see some of the benefits of securing our API let's get on with the demo so we'll start off by creating a simple Lambda go to Lambda let's create a function author from scratch let's call this JW 2wt demo we'll leave it node.js uh we'll leave everything else default and let's create the function so now that's the function is created we have our dummy code here to begin with so let's just change this let's just make it out with something else hello from JWT demo so let's deploy this so now it's deployed let's move on and create our API Gateway so we'll click on create API Gateway we're going to create a rest API this rest API we'll do a new API and let's call this JWT demo API let's create the API so for this demo we're just going to create one simple get method that we're going to test so we'll do a get leave everything the same here enable proxy integration and let's find our Lambda link it save let's deploy the API and let's deploy it to a new stage and let's call that stage Dev click deploy it's deployed and we have an endpoint to our API so let's copy this let's click on it let's see what happens in the browser so it's deployed right now hello from jwtd I misspelled demo but we'll leave it like that for now okay so one additional thing we can do is copy this endpoint address open it up in Postman let's send a sample request and we see we get back 200 with the message we saw from the browser so it's just letting us know that the endpoint is working we can move on and try adding security Now to this endpoint so let's move on let's go and click cognito we want to go to manage user pools what we're going to want to do here is create a user pool we'll give it a name we'll call it JWT user pool and let's go and review defaults we can leave everything the same for now and just go ahead and create the pool so now we have a actual user pool created so now let's go and actually create a user we won't go through we'll create just a quick test user that we won't have to validate and it'll be active right away let's go here create a user we won't need to send out an email because we're going to activate it right away and we won't use the phone number so let's create a test user give them a password and let's put in a test email this user so this user is already ready to go and we can test it out when our pool is up and running so next what we want to do is create an app client so here click on have clients add an app client we'll give it a name JWT app client we can leave everything default but what we'll want to do is uncheck this since this is going to be used in the UI we do not want to generate client secrets scroll to the bottom and create app client so now that the app client is created let's go to the app client settings here what we can do is click on select all for now we're going to want to give a just a dummy callback URL we won't need an active one because we're not actually going to have a UI that will accept the Callback but let's put in one it needs a valid one anyways HTTP you need the full HTTP in front of it localhost http localhost again we're going to be using aus2 we'll want to check mark implicit Grant and we can go ahead and check all the scopes for now after doing that we want to save changes and next we'll want to click on domain name we need to give Cognito has ability to have a host UI for user authentication so we're going to use that for our demo here so we'll have to start off by giving it a domain so for our demo we can call it JWT demo let's check the availability for this so the domain is available we're going to use this domain for now we're going to save this so what this does is now that we have a domain we can actually go back and use the AWS hosted UI for user Authentication so this is all ready now so let's go back and let's see if we can actually log in with the test user we we created so if I click on this here's the hosted UI so we created the user test user let's log in with the test user sign in since it's the first login it's going to make us change our password so let's just change our password okay so as you can see here it redirected us to our callback URL but tagged on all the token values so I'll show you a quick way you can parse this out easily without having to do it yourself go back to Cognito click on launch hosted UI copy the full login URL open up Postman go to a new request go to authorization tab select oauth 2.0 go to configure new token give it a name change the grant type to implicit and paste that login URL there and leave the rest the same at the bottom you can go Grant new access token you'll see the login screen pop up shortly I already logged in once but essentially you log in with that same user it'll say authentication complete proceed and now what you'll get back is the all the tokens parsed nicely so what we'll want is the actual ID token we copy this I'll show you what's inside if we go to jwt.io paste this value in there you can see once it's this is the encoded value what the decoded value you'll see all the payload data you'll see we logged in as test user testuser.com you know we can see our test username all the various IDs but that's what's encoded in the JWT token so this is a signed token so it can be validated on the server that this was actually sent from cognito so that's the token so now we have an actual Cognito user pool setup with one user that can be validated to return a valid JWT token so what we finally need to do is go back to our API and add security let's click on API Gateway select our API click on the method itself you'll see authorization is set to none right now so first we'll have to go to authorizers create a new authorizer give it a name this will be a cognito authorizer select our user pool and we'll give it a token Source we'll call it authorization that just tells Cognito where to look in the request header for our token and then click create so we can actually go ahead and test this out so let's test this out with a bad token see what we get see here it responds back with unauthorized requests so let's go grab a good token and do the same test we actually get back a valid claim you'll see here the user information down below so our test is good so now let's go back to our method and update the authorization to point to our authorizer click on request drop down so as you can see here it doesn't see our authorizer yet sometimes you may just have to click refresh so we'll do that again method under authorization drop down and there's our authorizer so we'll select it click the check mark and now what we'll have to do is actually deploy the API again since we made a change to the Gateway select our Dev stage and click deploy so now this still take effect in maybe a couple minutes so let's give it a few minutes and then we'll test out our API so now that our API is deployed let's go to postman and test it out so here's our request from earlier let's go give it a try now as you can see we hit it and it's coming back unauthorized so what we're going to do next is add an authorization header so you know we set the key to authorization so let's put that in here authorization we go back and grab our token place it in here let's see what happens with a valid token being passed now we get response 200 with a valid response hello from jwtd so as you can see here now any calls to our API will require a valid token and without it if I invalidate it you'll get unauthorized so there you have it that's how you secure an API with a JWT token thanks for watching the video I hope you found it helpful feel free to leave your likes and comments down below with any new video ideas you'd like to see take care everyone bye now

Info

Channel: Let's Find Solutions

Views: 12,444

Rating: undefined out of 5

Keywords: JWT Token, JWT Authorizer, Amazon Cognito, AWS Cognito, API Security, AWS Security, AWS, Serverless, API, Serverless API, Lambda, API Gateway, Node.js, CRUD, AWS Lambda, REST API, REST, AWS Services, Web Services, How To Code, Coding examples, Coding Lessons, How to write code, AWS How To, How To AWS, AWS Tutorial, Coding Tutorials, Learn to Code, Authentication, API Authentication

Id: 5kTO8Uso6hI

Channel Id: undefined

Length: 13min 10sec (790 seconds)

Published: Fri Oct 14 2022