Go-Lang Making API Gateway Call via login with AWS Cognito using AWS4 Signer

Go-Lang Making API Gateway Call via login with AWS Cognito using AWS4 Signer

Below is the sample code to making AWS API Gateway call using AWS4 signer 

package main

import (
	"bytes"
	"context"
	"encoding/json"
	"fmt"
	"github.com/aws/aws-sdk-go-v2/aws/signer/v4"
	"github.com/aws/aws-sdk-go-v2/config"
	"github.com/aws/aws-sdk-go-v2/credentials"
	"io/ioutil"
	"net/http"
	"time"
)

// SignHTTP signs AWS v4 requests with the provided payload hash, service name, region the
// request is made to, and time the request is signed at. The signTime allows
// you to specify that a request is signed for the future, and cannot be
// used until then.
//
// The payloadHash is the hex encoded SHA-256 hash of the request payload, and
// must be provided. Even if the request has no payload (aka body). If the
// request has no payload you should use the hex encoded SHA-256 of an empty
// string as the payloadHash value.
//
//   "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
//
// Some services such as Amazon S3 accept alternative values for the payload
// hash, such as "UNSIGNED-PAYLOAD" for reque
var hash = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
var Region = "us-east-1"
var Host = "https://sandboxapi.mytest.com/"
var PoolId = "us-east-1_123456789"
var ClientId = "1234567890"
var ServiceName = "execute-api"
var IdentityPoolId = Region + ":e8682e09-e7ed-4247-827e-f4e1c7cc3578"

var LoginUrl = "https://cognito-idp." + Region + ".amazonaws.com"
var IdentityURL = "https://cognito-identity." + Region + ".amazonaws.com/"

var USERNAME = "test.user@testdomain.com"
var PASSWORD = "Test@123"

type AuthenticationResult struct {
	AccessToken  string `json:"AccessToken"`
	ExpiresIn    int64  `json:"ExpiresIn"`
	IdToken      string `json:"IdToken"`
	RefreshToken string `json:"RefreshToken"`
	TokenType    string `json:"TokenType"`
}

type LoginResponse struct {
	AuthenticationResult AuthenticationResult `json:"AuthenticationResult"`
}

type IdentityResponse struct {
	IdentityId string `json:"IdentityId"`
}

type Credentials struct {
	AccessKeyId  string `json:"AccessKeyId"`
	SecretKey    string `json:"SecretKey"`
	SessionToken string `json:"SessionToken"`
}
type CredentialsResponse struct {
	Credentials Credentials `json:"Credentials"`
}

func Login() AuthenticationResult {
	fmt.Println("Making Login Call to :- " + LoginUrl)
	client := &http.Client{}
	var obj LoginResponse
	var jsonStr = []byte(`{
    "AuthFlow": "USER_PASSWORD_AUTH",
    "ClientId": "` + ClientId + `",
    "AuthParameters": {
        "USERNAME": "` + USERNAME + `",
        "PASSWORD": "` + PASSWORD + `"
    },
    "ClientMetadata": {}
	}`)
	req, _ := http.NewRequest("POST", LoginUrl, bytes.NewBuffer(jsonStr))
	req.Header.Set("Content-Type", "application/x-amz-json-1.1")
	req.Header.Set("x-amz-target", "AWSCognitoIdentityProviderService.InitiateAuth")
	loginResp, _ := client.Do(req)
	defer loginResp.Body.Close()
	bodyLogin, _ := ioutil.ReadAll(loginResp.Body)
	json.Unmarshal(bodyLogin, &obj)
	return obj.AuthenticationResult
}

func GetIdentityId(loginObj AuthenticationResult) IdentityResponse {
	fmt.Println("Making Identity Call to :- " + IdentityURL)
	client := &http.Client{}
	var obj IdentityResponse
	var jsonStr = []byte(`{
    	"IdentityPoolId": "` + IdentityPoolId + `",
    	"Logins": {
        	"cognito-idp.` + Region + `.amazonaws.com/` + PoolId + `": "` + loginObj.IdToken + `"
    	}
	}`)
	req, _ := http.NewRequest("POST", IdentityURL, bytes.NewBuffer(jsonStr))
	req.Header.Set("Content-Type", "application/x-amz-json-1.1")
	req.Header.Set("x-amz-target", "AWSCognitoIdentityService.GetId")
	loginResp, _ := client.Do(req)
	defer loginResp.Body.Close()
	bodyLogin, _ := ioutil.ReadAll(loginResp.Body)
	json.Unmarshal(bodyLogin, &obj)
	return obj
}

func GetCredentialsForIdentity(loginObj AuthenticationResult, identityObj IdentityResponse) Credentials {
	fmt.Println("Making Get Credentials Call to :- " + IdentityURL)
	client := &http.Client{}
	var obj CredentialsResponse
	var jsonStr = []byte(`{
		"IdentityId": "` + identityObj.IdentityId + `",
		"Logins": {
			"cognito-idp.` + Region + `.amazonaws.com/` + PoolId + `": "` + loginObj.IdToken + `"
		}
	}`)
	req, _ := http.NewRequest("POST", IdentityURL, bytes.NewBuffer(jsonStr))
	req.Header.Set("Content-Type", "application/x-amz-json-1.1")
	req.Header.Set("x-amz-target", "AWSCognitoIdentityService.GetCredentialsForIdentity")
	loginResp, _ := client.Do(req)
	defer loginResp.Body.Close()
	bodyLogin, _ := ioutil.ReadAll(loginResp.Body)
	json.Unmarshal(bodyLogin, &obj)
	return obj.Credentials
}

func GetRefreshToken(refreshToken string) AuthenticationResult {
	fmt.Println("Making Login Call refresh token to :- " + LoginUrl)
	client := &http.Client{}
	var obj LoginResponse
	var jsonStr = []byte(`{
    "AuthFlow": "REFRESH_TOKEN_AUTH",
    "ClientId": "` + ClientId + `",
    "AuthParameters": {
        "REFRESH_TOKEN": "` + refreshToken + `"
    },
    "ClientMetadata": {}
	}`)
	req, _ := http.NewRequest("POST", LoginUrl, bytes.NewBuffer(jsonStr))
	req.Header.Set("Content-Type", "application/x-amz-json-1.1")
	req.Header.Set("x-amz-target", "AWSCognitoIdentityProviderService.InitiateAuth")
	loginResp, _ := client.Do(req)
	defer loginResp.Body.Close()
	bodyLogin, _ := ioutil.ReadAll(loginResp.Body)
	json.Unmarshal(bodyLogin, &obj)
	return obj.AuthenticationResult
}

func MakeGetAPICall(credentiasObj Credentials, path string) string {
	host := Host + path
	fmt.Println("Making Get Call to :- " + host)
	client := &http.Client{}
	cfg, _ := config.LoadDefaultConfig(context.TODO(),
		config.WithCredentialsProvider(
			credentials.NewStaticCredentialsProvider(
				credentiasObj.AccessKeyId,
				credentiasObj.SecretKey,
				credentiasObj.SessionToken,
			),
		),
	)
	credentials, _ := cfg.Credentials.Retrieve(context.TODO())
	req, _ := http.NewRequest(http.MethodGet, host, nil)
	signer := v4.NewSigner()
	_ = signer.SignHTTP(context.TODO(), credentials, req, hash, ServiceName, Region, time.Now())
	resp, _ := client.Do(req)
	defer resp.Body.Close()
	body, _ := ioutil.ReadAll(resp.Body)
	return string(body)
}

func main() {
	loginObj := Login()
	identityObj := GetIdentityId(loginObj)
	credentiasObj := GetCredentialsForIdentity(loginObj, identityObj)
	var refreshToken AuthenticationResult = GetRefreshToken(loginObj.RefreshToken)
	loginObj.AccessToken = refreshToken.AccessToken
	loginObj.IdToken = refreshToken.IdToken
	body := MakeGetAPICall(credentiasObj, "user/user-service/common/profile")
	fmt.Println("response Body:", string(body))
}

Steps in making API Gateway Calls:-

  • First We login via Cognito to get idToken.
  • Then we get AccessId, SecretId and SessionToken via AWS Cognito Identity Provider.
  • Then we get a Refresh Token to update the AccessToken and IdToken
  • Then we make a HTTP get call using AWS4 Signer.

Required Parameters:-

  • PoolId
  • AWS Cognito ClientId
  • Region
  • IdentityPoolId
  • Username/Password of Cognito
  • Host URL of AWS API Gateway

Comments

Post a Comment

Popular posts from this blog

Setup AWS Cognito and Signup user using Postman

Setup AWS Cognito and Signup User using Postman To Setup a cognito follow the below steps 1:- Open AWS Console and move to Cognito 2:- Click on Manage User Pools & Click on Create a User Pool. 3:- Click on Review Defaults and Create a User Pool. 4:- Create a App Clients 5:- After Creating App Client You will get a Client Id  which we will use in Postman. 6:- Now open a Postman for Signup a User. Request URL:-      https://cognito-idp.us-east-1.amazonaws.com Method:-     POST Request Header:-  Request Payload:-       { "ClientId": "XXXXXXXXXXXXXX", "Username": "vishal.gupta.sf@gmail.com", "Password": "Password@1234", "UserAttributes": [ { "Name": "email", "Value...
Read more

AWS IOT Create OTA With RollOut and Abort Configuration.

Image
  What is OTA? Over-the-air (OTA) Updated allows you to deploy update firmware updates on one or more devices in your fleet. Below is the bash command to create OTA. aws iot create-job \ --job-id "example-cli-job" \ --document file://IOTCore/jobDocument.json \ --description "Job test for dynamic group" \ --target-selection SNAPSHOT \ --job-executions-retry-config file://IOTCore/config/retries.json \ --job-executions-rollout-config file://IOTCore/config/rollout.json \ --abort-config file://IOTCore/config/abort.json \ --targets "arn:aws:iot:us-east-1:test_account_id:thinggroup/testdevices" You need a latest AWS Cli version for creating OTA with above given command (mine is 2.5.8). targets:-   Targets can be single Device, group of Devices Or Groups like Static and Dynamic Group.  retry-config:-   Retry config is a config on how failed devices should behave. Like below JSON i have used to retry 2 times on Failed OTA Update. It ...
Read more

What is Amazon Cognito?

Image
What is Amazon Cognito? Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps. Your users can sign in directly with a user name and password, or through a third party such as Facebook, Amazon, Google or Apple. The two main components of Amazon Cognito are user pools and identity pools. User pools are user directories that provide sign-up and sign-in options for your app users. Identity pools enable you to grant your users access to other AWS services. You can use identity pools and user pools separately or together. An Amazon Cognito user pool and identity pool used together See the diagram for a common Amazon Cognito scenario. Here the goal is to authenticate your user, and then grant your user access to another AWS service. In the first step your app user signs in through a us...
Read more