I am working on a web app where users can login/signup with their personal email addresses or login with federated identities like Facebook/Twitter. I have set up Cognito User pool and identity pool for the same.
After successful login , APIs hosted on API gateway would be invoked to display some data on the application. I would like to implement authorization for every API invoke call and return the response only for authorized users.
I have created User Pool Authorizer in API Gateway and I am able to authenticate users created in userpool based on the Id Token.
As per my understanding , to authenticate users from Identity pool , I can use AWS_IAM in Api Gateway. AWS_IAM may not be right solution for my application as API can be invoked by user in userpool as well as identity pool.
I am thinking of implementing authentication using Custom Authorizer using Lambda functions.
If custom Authorizer has to be implemented , should validating policy document based on the session token be sufficient to validate the users from both Userpool/Identity Pool? Kindly suggest alternatives for custom authorization,if any.
Thanks in advance
Have you seen this blog post? https://aws.amazon.com/blogs/mobile/integrating-amazon-cognito-user-pools-with-api-gateway/
It's possible to directly integrate your Cognito user pools tokens as an authorizer for API Gateway, and it simplifies the flow you described greatly.