This will be a short one, since I don’t really have a good explanation of the behaviour posed by API Gateway. I have been struggling with this issue all throughout last week. But I do want to appreciate the Auth aspect offered by Cognito and API Gateway.
There are mainly 3 ways to do implement Authentication and Authorization logic for the private API calls made by users and service acccounts.
Do it from scratch: This means
Developing user signup, signin, signout workflows from scratch
There are more workflows to be handled - forgot password, reset password
The complexity increases multifold with MFA and email confirmation logic
Store the user credentials securely, etc.
… this is a lot of work
Use Cognito with Lambda authorizers: here, all the workflows are handled by Cognito, along with the support for Federated auth with enough room for customizations. The auth logic (both authentication and RBAC) is to be developed in the Lambda functions. Special lambda functions are created to handle these incoming requests. There is indeed some coding involved.
Use Cognito with API Gateway authorizers: To think of it, if we categorize incoming requests targeted towards, they are mainly of 2 types - user initiated, and service accounts initiated (for automation purposes). It makes sense for API Gateway to incorporate the Auth handling by leveraging Cognito. By simply setting some parameters like scopes and headers, various use cases are satisfied. Additionally, this is not mutually exclusive to Lambda authorizers. For specific use cases it is possible to incorporate both. For example, for basic authentication, API Gateway authorizers work well, for further authorization Lambda authorizers can be used.
Implementing a secure system is a basic - all pervading - task, but at the same time it causes a lot of deliberation in terms of security. For small teams, Cognito abstracts away this crucial aspect and lets them focus on the core business.
Having followed the 3rd route, when I try to test the logic using Postman, it throws weird error - “not a valid key=value pair (missing equal-sign) in Authorization header”. I think there is either something minor setting that I have not been able to find since a week, or there is an entire universe in auth world that I might be missing. Fingers crossed.