Library for verifying cognito tokens.
Project description
Purpose
A Library for setting up login routes in a Chalice app.
Basic Usage
Below is an example of a basic application making use of a Cognito User Pool.
First set up a new Chalice app:
$ chalice new-project test-auth $ cd test-auth
Next we add chalice-cognito-auth as a dependency:
$ echo "chalice-cognito-auth" >> requirements.txt
Now update the app.py file to configure a default user pool handler using the UserPoolHandlerFactory class.
from chalice import Chalice
from chalice_cognito_auth.userpool import UserPoolHandlerFactory
app = Chalice(app_name='test-auth')
app.experimental_feature_flags.update([
'BLUEPRINTS',
])
user_pool_handler = UserPoolHandlerFactory().create_user_pool_handler()
app.register_blueprint(user_pool_handler.blueprint)
@app.route('/whoami', authorizer=user_pool_handler.auth)
def index():
return {
'username': user_pool_handler.current_user
}
This will create a UserPoolHandler object using the environment variables APP_CLIENT_ID for the Cognito Userpool application client id. POOL_ID for the ID of the Cognito Userpool itself. And AWS_REGION for the region. AWS_REGION is set by the AWS Lambda runtime, but the other two we need to set ourselves. Update the file .chalice/config.json to look something like the following:
{ "version": "2.0", "app_name": "test-auth", "environment_variables": { "APP_CLIENT_ID": "...client id here...", "POOL_ID": "...pool id here..." }, "stages": { "dev": { "api_gateway_stage": "api" } } }
Substitute the client id and pool id values for ones that match an existing cognito user pool you have and can use for testing.
Now deploy the application using:
$ chalice deploy Creating deployment package. Updating policy for IAM role: test-auth-dev Updating lambda function: test-auth-dev Updating lambda function: test-auth-dev-UserPoolAuth Updating rest API Resources deployed: - Lambda ARN: arn:aws:lambda:us-west-2:...:function:test-auth-dev - Lambda ARN: arn:aws:lambda:us-west-2:...:function:test-auth-dev-UserPoolAuth - Rest API URL: https://id.execute-api.us-west-2.amazonaws.com/api/
Now that it has been deployed we can access the API using the Rest API URL. chalice-cognito-auth injects a login route which accepts a POST request with a JSON payload containing the two keys username and password. Make sure your configured userpool has a user in it that can be used for testing and send something like the following:
$ curl -X POST -H Content-Type:application/json https://id.execute-api.us-west-2.amazonaws.com/api/login -d '{"username":"StealthyCoin", "password": "secret"}' {"id_token":"...","refresh_token":"...","access_token":"...","token_type":"Bearer"}
The above JSON response contains all the tokens needed to send authorized requests. To test our authorizer we will use the whoami route which simply takes a request and either rejects it if unauthorized, or sends back the username associated with the request. To do this we will send a GET request with an Authorization header with the value of our id_token from the result JSON above.
In my case:
$ curl -H Authorization:...id token here... https://id.execute-api.us-west-2.amazonaws.com/api/whoami {"username":"StealthyCoin"}
Which sends back JSON object with the username that goes with my id token.
To check that a requset with a bad authorization token is rejected, run the following curl command:
$ curl -H Authorization:foobar https://id.execute-api.us-west-2.amazonaws.com/api/whoami {"Message":"User is not authorized to access this resource"}
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for chalice-cognito-auth-2.4.1.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | e83cafefb5cea34e9c9aa64562540bff8322854a5b69138fd216ac3d8ac9033e |
|
MD5 | b25ae3c1965ca310efe1666ee83453cf |
|
BLAKE2b-256 | 71f1ea9bcb8020d4533f125f54f0c97ca69195687a65863f3b6cc8f3142b02a5 |
Hashes for chalice_cognito_auth-2.4.1-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | ee9745bdfdc80e523948796903fffa304c1c6246b45d562059360f7781599de1 |
|
MD5 | 2d24765c76fd89f8c1e42eb8b0da9267 |
|
BLAKE2b-256 | bc8fcd7b943e85b1a9ed5a622b127e059b6fe65cd088fa7998ce01fc5ff948c3 |