Amplify API Auth with Cognito Custom Scopes - overview and temporary solution

Radek — Mon, 23 Jan 2023 14:44:18 +0000

Recently I have faced a truly annoying problem, whose understanding took me 1 week. Here is a simple overview of the problem and potential solution which I found:

Overview

Amplify is a tool which helps frontend developers create and manage backend resources. It comes with predefined libraries which take care of implementing communication with AWS Backend. With Amplify, we can easily create authorization which work with Cognito and Rest API requests for API Gateway. The problem begin when we want to use Cognito User pool authorization for Rest API.

Problem

Due to AWS Docs to restrict Rest API with Cognito User pool you should create Resource server and protect your endpoints with Custom scope. However, Amplify, and even more precisely AndroidSDK, doesn't return Custom Scopes if Hosted UI is not used --> link to Issue
If you don't want to use Hosted UI, currently you cannot use Custom Scopes.

First solution - stick with what you got

Use aws.cognito.signin.user.admin scope to protect endpoints. It's not perfect solution, it can work only if all your endpoints requires same permissions. It's still better than not protecting your endpoints at all. If you don't use any scope at API Endpoints, by default API Gateway would assume that openid scope is used, which will result in authenticating to API with ID token instead of Access Token.

Second solution - do it yourself

If your project requires Custom Scopes and you really don't want to use Hosted UI for your mobile app, you have to implement token management yourself. You can do it by sending a request for Grant Code and then sending another request for all tokens with Cognito credentials in the body. You also have to take care of proper protection of all requests. It's harder because you have to take care of token management by yourself (as well, you could not use Amplify/AWS SDK at all).

Third solution - move to Hosted UI

It is what it is. The simplest solution would be using Hosted UI since there are no other options right now. Let's hope that AWS will provide further improvements in the nearest future.

None of this solution is perfect, and the most recommended would be moving to Hosted UI, which will result in lower user experience.

Why you can't go wrong with AWS as student

Radek — Mon, 23 Jan 2023 14:32:01 +0000

6 months ago I have started my work as an AWS Cloud developer. Before this, I had close to zero knowledge of Cloud. So if you are a student, be smarter than me and start learning it right now.

1. It's BIG

At your university, you probably learn many different things, and you still know that's not all of it. You hear about so many specializations, different skills, different techs. So if you heard about something, there is quite big chance that AWS already has a solution for it.
It doesn't really matter what you are planning to do after university - AWS for sure has some tool for you. Here are some examples:

Would you like to do backend? - check serverless approach with Lambda.
Front-end dev with React? - have you heard about static hosting on S3?
Network Admin? - AWS got all you want - DNS/Routing/VPC.
How about mobile dev? - You can be interested in Amplify!
Machine learning/AI? - SageMaker has a lot of tools for you.

Still not sure? You probably faced a problem where you had to install a Linux machine for some school project. With AWS EC2, you can run it with 1 command in less than a minute!

2. It's universal

You know that learning programming is not about learning a programming language - it is about learning how to solve problems. With AWS, you can do the same. Probably, it's even easier. You don't really have to learn any syntax. You just have to start using it. What's even more important, there are not so many cloud providers. If you learn something in AWS, you will definitely catch it in different cloud platform. Also, due to the huge movement toward cloud computing, more and more applications rely on Cloud. Even if you don't use the cloud, there is quite big chance that someone in your team is using it. Wouldn't be nice to know what they are talking about?

3. It's impressive

We all know multilingual people. It's truly impressive when someone starts to talk in fluent Spanish while his first language is German. Same goes with AWS, especially if you are not applying for DevOps work. Imagine recruiting React Dev who has AWS skills in his CV. It might not be so useful for this project, but if your applicant had learnt the basics of AWS, he can definitely manage his daily duties.

4. It's better paid

Are you earning a good salary as Python Dev? You can earn more by being Python Dev in Cloud. Currently, cloud positions have the highest salary in all IT industry. Check the stats.

DEV Community: Radek