Eli Eli - 2 months ago 17
C# Question

How To: C# .net core API (APIGateway/Lambda) + Xamarin + Facebook authentication using AWS Cognito.

I have a .net core API (.net core 1.0.0 with EF 1.0) that I use in a servless manner by having it as lambda in Amazon AWS.

That API is fully functional, but I'd like to implement an authentication on it. Mainly for my Xamarin mobile app that will use that restful API.
Amazon has something called Amazon Cognito where you can use 'Cognito Federated Identities' so signing in via Facebook, Google, etc.

I have no clue as to where to start, I've scavanged the internet and could find bits of pieces of code and articles here and there, but I can't figure out how to put it all together.

If I implement a AWS Cognito Authentication on my api, is a API key still necessary? Or should I use both? API key to authenticate my mobile phone as a valid user to the system and AWS Cognito for authenticating my user?

I'm assuming that the AWS authentication happens from an AWS SDK of some sorts, can I still benefit from facebook authentication? For example can I get the user pictures/albums/likes/etc.
Or do I have to use a Facebook SDK for this, if so do I use facebook SDK on API level or Mobile app (xamarin) level.

It would be great if someone ever implemented something like this (or similar) could present me with some sample code? Or atleast something to push me in the right direction, cause I'm a bit lost. Thank you!

Eli Eli
Answer Source

I haven't had the time to implement it yet, but when I do I'll also post the code here. Too bad I lost 50 rep for the bounty :(

If I implement a AWS Cognito Authentication on my api, is a API key still necessary? Or should I use both? API key to authenticate my mobile phone as a valid user to the system and AWS Cognito for authenticating my user? Or do I receive some sort of token?

Using Cognito Federated Identities will generate IAM Credentials(Access Key, Secret Key, Session Token) that are tied to an IAM Role, so this means that you will have to use IAM Auth on API Gateway.

You cannot use more than one Auth type on the same API Method.

I'm assuming that the AWS authentication happens from AWS SDK, can I still benefit from facebook authentication? For example can I get the user's pictures/albums/likes/etc. Or do I have to use a Facebook SDK for this, if so do I use facebook SDK on API level or Mobile app (xamarin) level

Yes you can still benefit from Facebook authentication. You will have to use the Facebook SDK. The AWS SDK and Cognito are just using Facebook as a way to a verify that the user is correct. As for where you will use the Facebook SDK this will depend on your own architecture of your application. Though generally in my experience I see it being used on the client(mobile) level more.

For actually using and coding Cognito, first you need to create an Identity Pool. While you are creating the pool, depending on your use case, you can leave "Enable access to unauthenticated identities" unchecked.
This is only if you want guest users in your app to be able to use your APIs. But if you just want users who have logged in through Facebook then this should be unchecked.

Then under "Authentication providers" add in your Facebook app id under the Facebook tab. Here is the documentation to how to create a pool for addition information: http://docs.aws.amazon.com/cognito/latest/developerguide/getting-started-with-identity-pools.html#create-identity-pool

Then for coding this in your app, these two pieces of documentation are used together.

1) You first need to set the credentials object, and then once you login through Facebook and get the token you make a addLogin to add the token to Cognito.

2) Then you use the credentials object to pass the credentials to API Gateway.

http://docs.aws.amazon.com/cognito/latest/developerguide/getting-credentials.html#getting-credentials-1.xamarin http://docs.aws.amazon.com/cognito/latest/developerguide/facebook.html

In order to use IAM Auth with API Gateway you will need to do something known as SigV4 signing.
Since API Gateway does not have a generated SDK for dotNet/C#, you will have to do this manually.

This documentation goes over signing requests examples. The examples are in Python, unfortunately we do not have any examples in C#, but it gives you the logic that you need to complete this.

http://docs.aws.amazon.com/general/latest/gr/sigv4-signed-request-examples.html