Microservice Authentication
Setting up Authentication for the Microservice
Right now, if you click the Go! button on the web site and do not enter a city to filter, you will see a dialog with all available trips. We want to change this behaviour so that you must be logged in in order to be able to search for all trips without a filter. This is just an example to demonstrate how we could limit certain API calls to only authenticated users.
Contents
- Update the AWS API Gateway
- Create an Authorizer that uses the Cognito User Pool
- Mark the /trips microservices to require authentication
Update the AWS API Gateway
- Open the AWS API Gateway console, and click on the Gateway Responses link beneath the iDevelop - Trip Search API link.
- In the Gateway Responses panel, scroll down to locate the
Unauthorized (401)panel and open it. - Click Edit
- In order for our web application to be able to receive the unauthorized 401 status, we need to add CORS headers to the response. Without the headers, the browser will not have permission to receive the 401 status. We have already enabled CORS for status 200 responses when we set up the API Gateway endpoints earlier. But we need to explicitly allow for status 401 to be returned.
In the Response Headers section, add in the following two header/value pairs:
| Header name | ‘static value’ |
|---|---|
| Access-Control-Allow-Origin | ‘*’ |
| Access-Control-Allow-Headers | ‘*’ |
You must provide the single-quotes around the static value as shown above. Don’t provide * by itself, surround it with single-quotes like shown. Make sure that there is no trailing space after the header name if you copy/pasted from the lab cloudformation values.
- Click the Save button in the
401panel to commit the changes.
Create an Authorizer that uses the Cognito User Pool
API Gateway integrates tightly with Cognito for authorization. You simply need to declare your Cognito User Pool as an authorizer for your API.
- Click the Authorizers link beneath the iDevelop - Trip Search API link on the left navigation panel
- Click Create New Authorizer
- For Name type
TravelBuddy - For Type select
Cognito - Select the
TravelBuddyentry from the drop-down list for Cognito User Pool by first clicking inside the text entry field. - For Token Source type
Authorizationand note that spelling and capitalization are important. - Click Create
Mark the /trips microservices to require authentication
- Click the Resources link beneath the iDevelop - Trip Search API link on the left navigation panel
- Click the GET method beneath
/trips - Click Method Request
- Click the pencil icon next to the Authorization field and from the menu that appears, select
TravelBuddy. This is the authoriser we created in the previous step, and links to the Cognito User Pool we are using for our user database. If it does not appear, try refreshing your browser.
- Click the grey tick next to the field to save the change.