Using Apache HttpClient to retrieve Cognito Token for Api Gateway

 


To secure your Api Gateway, there is the option to add Cognito as Authorizer. It is very easy to setup especially if you will follow the GUI instruction from console.


This is a very common setup: you have your Cognito User Pool where you have create the UI to admit clients to login and check their credentials. The UI can be easily managed because you can integrate it and setup your home Application as redirect URI, so they can be see the home page right after login submit.


Now let's suppose you have an Api Gateway and the same user pool from Cognito is used to allow users to access that. This means that:

  • users have to insert credentials
  • obtain the auth code
  • call the oauth2
  • obtain the token
  • add it to Authorization header

Usually we do this using SDK from AWS, but I want to experiment an alternative way of do this.

POSTMAN   

If you check on the internet you will see that there are many examples of Postman Cognito Oauth, where you can set up all the configuration and click on "generate token": this will open a new browser page on your way, let you introduce the credentials and then retrieve the auth code.

Then the auth code is used for the step "obtain the token".

But hey, is there a way to do this without open a browser? Let's see if it is possible

APACHE HTTP

To call each endpoint it is important to use Apache Http client (version 5 the more recent) which can give us the ability to add headers, parameter, extract information and so on for each request.

So our project will have this dependency

<dependency>
    <groupId>org.apache.httpcomponents.client5</groupId>
    <artifactId>httpclient5</artifactId>
    <version>5.2</version>
</dependency>

Now we will use just CloseableHttpClient for every call, we will just manage headers and body.

XSRF TOKEN

The firs call we need to do is the one to get the XSRF token, which is the one used in the "Insert Credentials" page.

Supposing to have the cognito domain like

https://mydomain.auth.us-east-1.amazoncognito.com
where mydomain is what you set in Cognito configuration


So your first endpoint will be

https://mydomain.auth.us-east-1.amazoncognito.com/login

And you need to call it passing the parameters

URIBuilder uriBuilder = new URIBuilder(uri);
uriBuilder.addParameter("client_id", client_id);
uriBuilder.addParameter("redirect_uri", redirect_uri);
uriBuilder.addParameter("scope", "openid");
uriBuilder.addParameter("response_type", "code");

Scope and response_type are of course "fixed", while client_id and redirect_uri depends on your configuration (client_id are generated by AWS, while redirect_uri are configured by you).

This first call will return a cookie that you can find in your header

public class XsrfRetriever {

    private final HttpGet request;

    public XsrfRetriever(URI uri) throws URISyntaxException {
        request = new HttpGet(uri);
    }

    public String retrieveToken() throws IOException {
        CloseableHttpClient clientGet = HttpClients.createDefault();
        HttpResponse responseGet = clientGet.execute(request, new EntireResponseExtractor());
        String setCookie = responseGet.getFirstHeader("Set-Cookie").getValue();
        return Arrays.stream(setCookie.split(";")).filter(s -> s.contains("XSRF-TOKEN")).
                findFirst().get();
    }

}

So passing the uri built before to this class, you can obtain the token.

AUTH CODE

Now we can simulate a login using the xsrf token obtained in the previous step

This will be a Post where:

  • the URI will be the same as before
  • the xsrf token is used as cookie header
  • username and password are sent as body parameter with _csrf which is the cookie value of xsrf-token

The result should be a 302 with a location header that contains an url build as "redirecturi?code=XXXX" where XXXX is the code we need for the next step

public class AuthCodeRetriever {

    private static final Logger logger = LogManager.getLogger();

    private HttpPostClient httpPostClient;
    private String redirectUri;

    public AuthCodeRetriever(URI finalURI, String username, String password, String xsrfToken, 
                             String redirectUri){
        httpPostClient = HttpPostClient.HttpPostClientBuilder.init().withUri(finalURI)
                .addHeader("cookie", xsrfToken)
                .addHeader("accept", "application/json")
                .addHeader("content-type", "application/x-www-form-urlencoded")
                .addParameter("username", username)
                .addParameter("password", password)
                .addParameter("_csrf", xsrfToken.split("=")[1]).build();
        this.redirectUri = redirectUri;
    }

    public Optional<String> retrieveCode() throws IOException, ProtocolException {
        String location = httpPostClient.executeAndReturnHttpResponse()
                .getHeader("location").getValue();
        if (location != null && location.contains(redirectUri)) {
            URI extractFromLocation = URI.create(location);
            String authCode = extractFromLocation.getQuery().split("&")[0].split("=")[1];
            logger.debug("Auth code is " + authCode);
            return Optional.of(authCode);
        } else return Optional.empty();
    }
}
This class add the essential header and parameter to the HttpPost and retrieve the code from the location header.

OAUTH TOKEN

Now the last step. We need to perform a POST to the oauth token url which is in form of

https://mydomain.auth.us-east-1.amazoncognito.com/oauth2/token

and this post will have:
  • the csrf cookie as header
  • the body parameter that contains 
    • the client_id already mentioned before
    • the redirect_uri already mentioned before
    • the authCode retrieved in the previous step as "code"
    • the grant_type as "authorization_code"
This class will perform this as well

public class TokenAuthRetriever {

    private final HttpPostClient httpPostClient;

    public TokenAuthRetriever (URI uri, String xsrfToken, String authCode, 
                               String redirect_uri, String client_id){
        httpPostClient = HttpPostClient.HttpPostClientBuilder.init().withUri(uri)
                .addHeader("cookie", xsrfToken)
                .addHeader("accept", "application/json")
                .addHeader("content-type", "application/x-www-form-urlencoded")
                .addParameter("grant_type", "authorization_code")
                .addParameter("code", authCode)
                .addParameter("redirect_uri", redirect_uri)
                .addParameter("client_id", client_id).build();
    }

    public TokenContainer retrieveToken() throws IOException {
        String json = httpPostClient.executeAndReturnString();
        ObjectMapper objectMapper = new ObjectMapper();
        return objectMapper.readValue(json, TokenContainer.class);
    }
}

In the final step instead of returning a simple String it converts it into a TokenContainer, which is an object that fits the json structure

public class TokenContainer {

    private String id_token;
    private String access_token;
    private String refresh_token;
    private int expires_in;
    private String token_type;
    ...
    ...
}

With this last object we can use "id_token" as Authorization for last call

FINAL CALL

To verify that everything is working fine we perform a call to the apigateway passing the token retrieved
HttpGet requestGateway = new HttpGet(API_GATEWAY_URL);
CloseableHttpClient clientGetGateway = HttpClients.createDefault();
requestGateway.addHeader("Authorization", id_token);
HttpResponse responseGateway = clientGetGateway.execute(requestGateway, 
        new EntireResponseExtractor());
logger.debug("Calling gateway and obtain {}", responseGateway.getCode());

This will print 

DEBUG org.example.Main - Calling gateway and obtain 200

MAIN PROGRAM

The main program will be something like

URI uri = UriTokenBuilder.build(URI_BASE, CLIENT_ID, REDIRECT_URI);
String xsrfToken = new XsrfRetriever(uri).retrieveToken();
Optional<String> optionalAuthCode = new AuthCodeRetriever(uri, MAIL, PASSWORD,
        xsrfToken, REDIRECT_URI).retrieveCode();
if (optionalAuthCode.isPresent()) {
    String id_token = new TokenAuthRetriever(URI_OAUTH_URL, xsrfToken, optionalAuthCode.get(), 
            REDIRECT_URI, CLIENT_ID).retrieveToken().getId_token();
    logger.debug("ID TOKEN is " + id_token);
    HttpGet requestGateway = new HttpGet(API_GATEWAY_URL);
    CloseableHttpClient clientGetGateway = HttpClients.createDefault();
    requestGateway.addHeader("Authorization", id_token);
    HttpResponse responseGateway = clientGetGateway.execute(requestGateway,
            new EntireResponseExtractor());
    logger.debug("Calling gateway and obtain {}", responseGateway.getCode());
}


CONCLUSION

There are many way of interacting with AWS services: using the SDK will be always the preferred one, but sometimes we need to verify if we are able to call them directly using HTTP interaction.

Remember that they are all API



Commenti

Posta un commento

Post popolari in questo blog

HTML and AI - A simple request, and a beautiful response for ElasticSearch without Kibana

Immagine
THE PROBEM I recently installed an ElasticSearch in a Docker environment and I want to be sure that it is working, before waiting the consumers start to connect to it. The Container is started using a volume which was cloned from another Docker installation, so it was not empty: we already have some indexes and some documents. I want to be sure that everything was available but I don't have any Kibana installation (and I can't install it at all). So only API was available and I need to check something  ElasticSearch REST APIs THE FIRST SOLUTION If you ask to Microsoft Copilot how to interact with ElasticSearch api, it will reply by suggesting: curl scripting postman But the interaction is not so human readable and it is quite noisy to write the commands. I want to have something to be easily used but I don't want to spend to much time on that. I need an accelerator THE SECOND SOLUTION I know that there is such an api to ask to ElasticSearch the list of indexes. And I also k...
Continua a leggere

A simple CD using AWS Pipeline

Immagine
  CD is a friend in software development: there is no other way to speed up feedback from your application without having a solid Continuous Deployment. I am skipping continuous integration because all of this examples are related to single repo.. where the only developer allowed to commit code it's me: the integration is with my self :) In this example we will create an automation related to a simple situation where we have a LambdaFunction exposed through an ApiGateway, where the lambda function is running a docker image. There are infinite ways of creating and managing Lambda and pipelines of course, but in this example we will use: CodeCommit to store the code ECR to store the code CloudFormation to create and update all the infrastructure. CodeBuild to create the artifacts we need Let's see it CODE COMMIT     To easily have a repository to store the code and to have a natural integration with AWS echosystem, I decided to use Code commit. Code is structured as other e...
Continua a leggere

Websocket Chat with Lambda (but all in Java)

Immagine
  I don't know if I am not able to perform search on Internet (I doubt it) but every examples of websocket chat created with Lambda was all created using Node.js. And I can cheat on Java, that's my love. So I decided to transform the usual chat into a Java project, by of course performing some changes in order to be easy to check if it works.  THE IDEA The idea behind the project is simple: a simple WebSocket API exposed with api gateway with 4 different route and a unique Lambda who is in charge to serve each request. The change I made is about the name registration: instead of just propagate the message to other connected users, I want to have the way to register a name for chat users so every time a message is published, the receiver can see who sent the message. As I said in other project, this is to be intended for testing purpose, so there are really infinite ways to do have the same behavior maybe in a better way. THE PROJECT The entire project is based on cloud formati...
Continua a leggere