Skip to Content

AWS Builder Labs: AWS Cognito User Pool Authentication Flow with API Gateway

By: Author Alex Lim

Posted on

Categories Amazon

Learn the key steps in the Amazon Cognito user pool authentication flow when integrating with Amazon API Gateway for secure mobile app authentication.

Table of Contents

Question

A developer plans to use Amazon Cognito user pools with Amazon API Gateway. Which step is part of the user pool authentication flow with API Gateway?

A. Amazon Cognito invokes the API after successfully validating the permissions.
B. The user pool validates the tokens against an identity pool.
C. A mobile app user authenticates with a user pool, and the user pool returns JSON Web Tokens (JWTs) to the app.
D. A mobile app sends a request to API Gateway, and API Gateway gets JSON Web Tokens (JWTs) from the user pool.

Answer

C. A mobile app user authenticates with a user pool, and the user pool returns JSON Web Tokens (JWTs) to the app.

Explanation

The mobile app authenticates with the user pool and gets JWTs, which the app uses to call API Gateway.

Here’s a detailed explanation of the user pool authentication flow with API Gateway:

  1. The mobile app user signs in by sending their credentials to the Amazon Cognito user pool.
  2. If the credentials are valid, the user pool returns a set of JSON Web Tokens (JWTs) back to the mobile app. The tokens include an ID token, access token, and refresh token.
  3. The mobile app includes the access token in the header of subsequent API requests it sends to API Gateway.
  4. API Gateway verifies the access token by calling the user pool to ensure it is valid and hasn’t expired.
  5. If the token is valid, API Gateway allows the API request to proceed. It can also parse claims from the access token and pass them to the backend API if needed.
  6. The backend API can further validate the token claims if necessary before returning a response.

So in summary, the user first authenticates directly with Cognito to get JWTs, then the mobile app passes the JWT access token to API Gateway on API requests to authenticate the user. API Gateway validates the token with Cognito before allowing the request.

The other options are incorrect:
A is wrong because API Gateway, not Cognito, invokes the API after validating the token.
B is wrong because the user pool validates the tokens directly, not against an identity pool.
D is wrong because the mobile app, not API Gateway, gets the JWTs from the user pool.

AWS Builder Labs EDBLDRv1EN-US assessment question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the AWS Builder Labs EDBLDRv1EN-US assessment and earn AWS Builder Labs EDBLDRv1EN-US badge.