|
| 1 | +# Amazon Cognito user management using Amazon API Gateway and AWS Lambda |
| 2 | + |
| 3 | +This sample project deploys an Amazon Cognitor user pool, an Amazon API Gateway REST API with an AWS Lambda integration. The Lambda function, written in Java, calls the Amazon Cognito API to create and confirm a user. The project also exposes API to return tokens after successful login by the user. |
| 4 | + |
| 5 | +Learn more about this pattern at Serverless Land Patterns: https://serverlessland.com/patterns/apigw-lambda-cognito-sam-java |
| 6 | + |
| 7 | +Important: this application uses various AWS services and there are costs associated with these services after the Free Tier usage - please see the [AWS Pricing page](https://aws.amazon.com/pricing/) for details. You are responsible for any AWS costs incurred. No warranty is implied in this example. |
| 8 | + |
| 9 | +## Requirements |
| 10 | + |
| 11 | +- [Create an AWS account](https://portal.aws.amazon.com/gp/aws/developer/registration/index.html) if you do not already have one and log in. The IAM user that you use must have sufficient permissions to make necessary AWS service calls and manage AWS resources. |
| 12 | +- [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html) installed and configured |
| 13 | +- [Git Installed](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git) |
| 14 | +- [AWS Serverless Application Model](https://docs.aws.amazon.com/serverless-application-model/latest/developerguide/serverless-sam-cli-install.html) (AWS SAM) installed |
| 15 | +- [Java 21 or above](https://docs.aws.amazon.com/corretto/latest/corretto-21-ug/downloads-list.html) installed |
| 16 | +- [Maven 3.8.6 or above](https://maven.apache.org/download.cgi) installed |
| 17 | + |
| 18 | + |
| 19 | + |
| 20 | +## Deployment Instructions |
| 21 | + |
| 22 | +1. Create a new directory, navigate to that directory in a terminal and clone the GitHub repository: |
| 23 | + ```bash |
| 24 | + git clone https://github.com/aws-samples/serverless-patterns |
| 25 | + ``` |
| 26 | + |
| 27 | +2. Change directory to the pattern directory: |
| 28 | + ```bash |
| 29 | + cd serverless-patterns/apigw-lambda-cognito-sam-java |
| 30 | + ``` |
| 31 | + |
| 32 | +3. From the command line, execute the below command to build the Java based AWS Lambda function. |
| 33 | + ```bash |
| 34 | + sam build |
| 35 | + ``` |
| 36 | + |
| 37 | +4. From the command line, use AWS SAM to deploy the AWS resources for the pattern as specified in the template.yml file: |
| 38 | + ```bash |
| 39 | + sam deploy --guided |
| 40 | + ``` |
| 41 | +4. During the prompts: |
| 42 | + |
| 43 | + - Enter a stack name |
| 44 | + - Enter the desired AWS Region. |
| 45 | + - Allow SAM CLI to create IAM roles with the required permissions. |
| 46 | + - MyCreateUserFunction has no authentication. Is this okay? [y/N]: select `y` |
| 47 | + - MyConfirmUserFunction has no authentication. Is this okay? [y/N]: select `y` |
| 48 | + - MyLoginUserFunction has no authentication. Is this okay? [y/N]: select `y` |
| 49 | + |
| 50 | + |
| 51 | + For production applications, you should [enable authentication for the API Gateway](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-control-access-to-api.html) using one of several available options and [follow the API Gateway security best practices](https://docs.aws.amazon.com/apigateway/latest/developerguide/security-best-practices.html). |
| 52 | + |
| 53 | + - Keep default values to the rest of the parameters. |
| 54 | + |
| 55 | + Once you have run `sam deploy --guided` mode once and saved arguments to a configuration file (samconfig.toml), you can use `sam deploy` in future to use these defaults. |
| 56 | + |
| 57 | +5. Note the outputs from the SAM deployment process. These contain the resource names and/or ARNs which are used for next step as well as testing. |
| 58 | + |
| 59 | +## How it works |
| 60 | + |
| 61 | +Please refer to the architecture diagram below: |
| 62 | + |
| 63 | + |
| 64 | + |
| 65 | +Here's a breakdown of the steps: |
| 66 | + |
| 67 | +1. **Amazon API Gateway**: Receives the HTTP POST request containing the request details in JSON format. There are 3 POST methods exposed for create user, confirm user and login user operations. |
| 68 | + |
| 69 | +2. **AWS Lambda**: Triggered by the API Gateway, this function written in Java uses Amazon Cognito API to create, confirm and login user. |
| 70 | + |
| 71 | +3. **Amazon Cognito**: Depending on the operation invoked, user is created, confirmed or logged in the Amazon Cognito user pool. |
| 72 | + |
| 73 | +4. **Response**: The Lambda function processes the Amazon Cognito API response and sends it back to the user via the API Gateway. |
| 74 | + |
| 75 | +## Testing |
| 76 | + |
| 77 | +1. You can use [curl](https://curl.se/) or any other tool of your choice to send a HTTP POST create user request to the API. Make sure to replace `CreateUserAPIGatewayEndpoint` with the corresponding values from your `sam deploy --guided` output. Replace `YourFirstName`, `YourLastName`, `your-email` and `your-password` with your values. The `email` should be a valid email id. |
| 78 | + |
| 79 | + ```bash |
| 80 | + curl -d '{"firstName": "{YourFirstName}", "lastName": "{YourLastName}", "email": "{your-email}", "password": "{your-password}"}' -H 'Content-Type: application/json' {CreateUserAPIGatewayEndpoint} |
| 81 | + ``` |
| 82 | + |
| 83 | + The API returns a response as below: |
| 84 | + |
| 85 | + ```json |
| 86 | + {"isSuccessful":true,"statusCode":200,"cognitoUserId":"84c8xxxx-xxxx-xxxx-xxx-xxxxx9846de1","isConfirmed":false} |
| 87 | + ``` |
| 88 | + |
| 89 | +2. You should receive an email with a verification code at your provided email id. Use the verification code to invoke the confirm user POST API: |
| 90 | + ```bash |
| 91 | + curl -d '{"email": "{your-email@mail.com}", "code": "{VerificationCode}"}' -H 'Content-Type: application/json' {ConfirmUserAPIGatewayEndpoint} |
| 92 | + ``` |
| 93 | + |
| 94 | + The API returns a response as below: |
| 95 | + |
| 96 | + ```json |
| 97 | + {"isSuccessful":true,"statusCode":200} |
| 98 | + ``` |
| 99 | + |
| 100 | +3. Now, you can call the login POST API. This API will return the token: |
| 101 | + ```bash |
| 102 | + curl -d '{"email": "{your-email@mail.com}", "password": "{your-password}"}' -H 'Content-Type: application/json' {LoginUserAPIGatewayEndpoint} |
| 103 | + ``` |
| 104 | + |
| 105 | + The API returns a response as below: |
| 106 | + |
| 107 | + ```json |
| 108 | + {"isSuccessful":true, "statusCode":200, "idToken":"eyJra...", "accessToken": "eyJra...", "refreshToken": "eyJj..."} |
| 109 | + ``` |
| 110 | + |
| 111 | +## Cleanup |
| 112 | + |
| 113 | +1. To delete the resources deployed to your AWS account via AWS SAM, run the following command: |
| 114 | + |
| 115 | +```bash |
| 116 | +sam delete |
| 117 | +``` |
| 118 | + |
| 119 | + |
| 120 | +--- |
| 121 | + |
| 122 | +Copyright 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved. |
| 123 | + |
| 124 | +SPDX-License-Identifier: MIT-0 |
0 commit comments