.netamazon-web-servicesamazon-cognitogateway

Integrating Amazon API Gateway with Amazon Cognito for use in a .Net Framework Desktop Application


We are trying to set up a desktop application requiring a multi factor authenticated login to connect to Amazon's API gateway. To this end, we have used Amazon Cognito for the authentication with the intention of integrating it with the API gateway. Both of the Cognito and API gateway parts of the setup work independently. The issue comes with adding in the security.

By following the documentation here: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html, we have configured the API gateway to use an authorizer and a token, which is received on successful login through Cognito. When testing the the authorizer in the AWS console, the token that is received is valid and the authentication is passed.

The issue arises when trying to do this from the desktop application. After hours and hours trawling through documentation and endless googling, we're still no closer to getting it to work.

The documentation says that we have to put the token in the header of the request with the 'Authorization' key. We do this but just keep receiving a HTTP 401 (Unauthorised).

The request header being sent is as follows (the first black rectangle is the api endpoint and the second is the token we are passing in):

enter image description here

The same result is seen when using 3rd party apps such as postman.

From the following documentation: https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-troubleshooting-jwt.html, we tried the curl command: curl -v -H "Authorization: <token>" <endpoint>

but just keep getting the response:

*   Trying <ip>...
* TCP_NODELAY set
* Connected to <endpoint> port 443 (#0)
* schannel: SSL/TLS connection with <endpoint> port 443 (step 1/3)
* schannel: checking server certificate revocation
* schannel: sending initial handshake data: sending 217 bytes...
* schannel: sent initial handshake data: sent 217 bytes
* schannel: SSL/TLS connection with <endpoint> port 443 (step 2/3)
* schannel: failed to receive handshake, need more data
* schannel: SSL/TLS connection with <endpoint> port 443 (step 2/3)
* schannel: encrypted data got 4096
* schannel: encrypted data buffer: offset 4096 length 4096
* schannel: encrypted data length: 4030
* schannel: encrypted data buffer: offset 4030 length 4096
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with <endpoint> port 443 (step 2/3)
* schannel: encrypted data got 1024
* schannel: encrypted data buffer: offset 5054 length 5054
* schannel: encrypted data length: 180
* schannel: encrypted data buffer: offset 180 length 5054
* schannel: received incomplete message, need more data
* schannel: SSL/TLS connection with <endpoint> port 443 (step 2/3)
* schannel: encrypted data got 167
* schannel: encrypted data buffer: offset 347 length 5054
* schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.
* Closing connection 0
* schannel: shutting down SSL/TLS connection with <endpoint> port 443
* schannel: clear security context handle
curl: (35) schannel: next InitializeSecurityContext failed: Unknown error (0x80092012) - The revocation function was unable to check revocation for the certificate.

Does anyone have any idea what we are doing wrong?


Solution

  • For anyone that comes across this in the future. The issue was nothing to do with the token being passed. Upon inspecting the token we found that the scopes didn't match up.

    We'd tried to use custom scopes in Cognito, but for some reason custom scopes don't really work in desktop applications (the scope kept defaulting to aws.cognito.signin.user.admin).

    Anyway, long story short. We are now using lambda authorizers to verify the ID jwt token acquired from our cognito user pool. We then allocate permissions based on the group of the user making the request.