I have a simple Lambda function which sends emails through SES. I can call it using a POST request with the required data and it will send an email. My question is, what are the methods I can use to secure this function? Currently, anyone can call that endpoint and execute the function with any data.
You need to set an authorizer for your API Gateway. This tutorial is a great start point.
In summary, you need to:
Create a Cognito User Pool
Create a Cognito Identity Pool that uses this User Pool
Make the client to log in and retrieve Cognito credentials
Make the client to send authorization headers for all requests
Set an authorizer in your Lamba function
Your serverless.yml will look like this with the authorizer configuration:
functions:
hello:
handler: handler.hello
events:
- http:
path: hello
method: post
authorizer:
arn: YOUR_USER_POOL_ARN
You don't need to be restricted to a Cognito authorizer. You can use configure an authorizer for Google+, Facebook, etc.
This setting means that the Lamba function will be triggered only by authenticated users and you can identify what is the User ID by inspecting the event object:
event.requestContext.authorizer.claims.sub
Related
I have an AWS API, with access controlled by an IAM authoriser associated with the unauthenticated role of a Cognito Identity pool. A successful call to the API invokes a Lambda function.
The current process is:
User obtains temporary security credentials. This includes:
User IdentityId e.g. eu-west-2:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX. This is the information I require in my Lambda function - see below.
Access credentials: AccessKeyId, SecretKey and SessionToken
The user calls the API using a signed request. The header of the request includes X-Amz-Security-Token, obtained from step 1
If authorisation is successful, the request is sent on to the Lambda function. event.headers includes X-Amz-Security-Token
Is it possible for the Lambda function to identify the identity pool ID of the caller (e.g. eu-west-2:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX), either from the data available in the header of the request, or any other means.
Things I have tried:
sts.getCallerIdentity with Invoke with caller credentials ticked in API Gateway
Looking at SessionToken, though this appears only to be a temporary access token rather than containing any useful data like a JWT.
If absolutely necessary I can include the identity ID of the user with every request, but I'd prefer to avoid this if possible.
The Cognito ID of the user is included in the requestContext property of the event object passed to your Lambda function.
E.g. the Identity of the Cognito user that access the API is:
event['requestContext']['identity']['cognitoIdentityId'];
I'm trying to figure out how to use the token event as specified in Google's OAuth 2.0 documentation for server side applications (using Node.js):
Here's the code for the token event:
oauth2Client.on('tokens', (tokens) => {
if (tokens.refresh_token) {
// store the refresh_token in your secure persistent database
console.log(tokens.refresh_token);
}
console.log(tokens.access_token);
});
I actually get this event to fire, but am unsure about when to check for a valid token. If I do this one every request (let's say Google Docs API request), the token event fires after I'm requesting the API, so credentials are not set correctly.
How would you go about making sure that the correct access token is set BEFORE making a request?
Google says "Once the client has a refresh token, access tokens will be acquired and refreshed automatically in the next call to the API.", which is also kind of the case, but too late.
So my question once again: How do I, in my call, wait for the token event to finish updating my access token in order to set credentials BEFORE making the request?
Thank you!
I am using the OAuth server flow for Google.
It starts with the user clicking a link that runs javascript to open a popup with the following request in the URI which is all working great:
var endpoint = "https://accounts.google.com/o/oauth2/auth";
endpoint = endpoint + "?scope="+encodeURIComponent(googlecalendar.SCOPES);
endpoint = endpoint + "&redirect_uri="+encodeURIComponent("https://myserver/google/");
endpoint = endpoint + "&response_type=code";
endpoint = endpoint + "&access_type=offline";
endpoint = endpoint + "&approval_prompt=force";
endpoint = endpoint + "&client_id="+encodeURIComponent(googlecalendar.CLIENT_ID);
endpoint = endpoint + "&state="+encodeURIComponent(googlecalendar.USER_ID);
On the server side, I get the state which contains the user_id for my DB and the authorisation code.
Now I want to exchange the authorisation code for access token (and renew token). This will be a HTTP request with a redirect URI, no state parameter is included.
The problem is that when I get those, I will need to store them against a user in my DB, but I don't have any way to check which user the callback is for.
The best I was able to come up with is using the token to query the google user's identity it belongs to but this still won't help me to find the user in the DB.
Can anyone help me with this flow? There must be some way to do. I don't want to use client libraries because later when I need to create watchers the PHP client library does not include this for the calendar API.
Short Answer
Despite the presence of a redirect parameter, the access token will generate a standard 200 response, not a 301 redirect. Depending on how you issue and handle the request/response, you can preserve your state.
More Detailed Answer
According to section 4.1.4 of the OAuth 2.0 spec document (RFC 6749), the response to an Access Token Request should be an "HTTP/1.1 200 OK".
In other words, the server will not perform a redirect, meaning you can issue a request and process the response in the same scope (either in the client or server, whatever your situation), so your database user ID need only be in local memory.
This is different from the Authorization Request, which is supposed to result in an "HTTP/1.1 302 Found" (redirect). See section 4.1.2.
So why is the redirect_uri parameter required?
According to section 4.1.3, the server must:
ensure that the "redirect_uri" parameter is present if the "redirect_uri" parameter was included in the initial authorization request as described in Section 4.1.1, and if included ensure that their values are identical.
In other words, the redirect_uri acts as a sort of secret or password which the server must use to verify the access token request. If the client fails to provide a redirect_uri parameter, or the parameter value is different from the original request, then the server must reject the access token request.
I am trying to do Facebook authentication in same window of my web application's login page.
I am using following code when user clicked login button to go to authentication page.
function loginUsingOAUTH()
{
top.location = 'https://graph.facebook.com/oauth/authorize?client_id=839846246064537&scope=email&redirect_uri=http://www.olcayertas.com/testqa/result.html';
}
1) After authentication Facebook redirects me to my redirect url and returns a parameter "code".
At this point I want to access Facebook user information but I don't know how to do that.
What is this "code" parameter for?
2) Is there any other way to access user information?
3) Do you have any other advice facebook authentication with same window login?
Thank you in advance for your help
When you get the code you should make a server side request to get an access token and than pass the access token to user. It is explained in Facebook Developer page:
Exchanging code for an access token
To get an access token, make an HTTP GET request to the following
OAuth endpoint:
GET https://graph.facebook.com/v2.3/oauth/access_token?
client_id={app-id}
&redirect_uri={redirect-uri}
&client_secret={app-secret}
&code={code-parameter}
This endpoint has some required parameters:
client_id. Your app's IDs
redirect_uri. This argument is required and must be the same as the original request_uri that you used when starting the OAuth login
process.
client_secret. Your unique app secret, shown on the App Dashboard. This app secret should never be included in client-side code or in
binaries that could be decompiled. It is extremely important that it
remains completely secret as it is the core of the security of your
app and all the people using it.
code. The parameter received from the Login Dialog redirect above.
Response
The response you will receive from this endpoint will be returned in
JSON format and, if successful, is
{“access_token”: <access-token>, “token_type”:<type>, “expires_in”:<seconds-til-expiration>}
If it is not successful, you will receive an explanatory error
message.
I am trying to send app-generated request using either JS SDK or graph API but I am not successful and desperate. Issue is that when I am sending request to currently logged user, everything is ok, but when I try to send to different user (even this user already authorized my app) I receive OAuth exception "#2 User can't send this request: Unknown error", sometimes "Failed to send any app requests".
My app has Request 2.0 enabled and is authorized with publish_stream, read_stream and user_about_me permissions. Same error messages I described are shown even in Graph API explorer.
Exactly same issue is described here using JS SDK:
Sending an App Generated Request with the JavaScript SDK
... and here using Graph API:
Posting app generated apprequest to other facebook users in Java
Please help.
If you want send a request to a user, you should POST to the Graph API '/user_id/apprequests' using an App Access Token (https://developers.facebook.com/docs/authentication/#applogin). This call is to design to be executed server-side as you don't want to share your App Access Token:
curl -F 'access_token=APP_ACCESS_TOKEN' \
-F 'message=From the app to the user.' \
https://graph.facebook.com/USER_ID/apprequests
The same can be achieve using the User Access Token from the recipient (USER_ID) only:
curl -F 'access_token=USER_ACCESS_TOKEN' \
-F 'message=From the app to the user.' \
https://graph.facebook.com/USER_ID/apprequests
In the JS SDK, if no Access Token field is added, the default Access Token will be of the logged in user. Knowing that, the above call which send the a request to the logged in user, will be:
FB.api('/me/apprequests', 'POST', {message: 'From the app to the user.'});
The first call can also be done with the JS SDK, by adding the App Access Token in the parameters. However, this is a DO NOT USE case as you don't want to share your App Access token client-side.