Define authorization rules
When working with a REST endpoint, you may need to set request headers for authorization purposes. This is done by passing a custom_header
function into the configuration:
Amplify.configure({ API: { endpoints: [ { name: 'sampleCloudApi', endpoint: 'https://xyz.execute-api.us-east-1.amazonaws.com/Development', custom_header: async () => { return { Authorization: 'token' }; // Alternatively, with Cognito User Pools use this: // return { Authorization: `Bearer ${(await Auth.currentSession()).getAccessToken().getJwtToken()}` } // return { Authorization: `Bearer ${(await Auth.currentSession()).getIdToken().getJwtToken()}` } } } ] }});
Note related to use Access Token or ID Token
The ID Token contains claims about the identity of the authenticated user such as name, email, and phone_number. It could have custom claims as well, for example using Amplify CLI. On the Amplify Authentication category you can retrieve the Id Token using:
(await Auth.currentSession()).getIdToken().getJwtToken();
The Access Token contains scopes and groups and is used to grant access to authorized resources. This is a tutorial for enabling custom scopes.. You can retrieve the Access Token using
(await Auth.currentSession()).getAccessToken().getJwtToken();
Customizing HTTP request headers
To use custom headers on your HTTP request, you need to add these to Amazon API Gateway first. For more info about configuring headers, please visit Amazon API Gateway Developer Guide
If you have used Amplify CLI to create your API, you can enable custom headers by following above steps:
- Visit Amazon API Gateway console.
- On Amazon API Gateway console, click on the path you want to configure (e.g. /{proxy+})
- Then click the Actions dropdown menu and select Enable CORS
- Add your custom header (e.g. my-custom-header) on the text field Access-Control-Allow-Headers, separated by commas, like: 'Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,my-custom-header'.
- Click on 'Enable CORS and replace existing CORS headers' and confirm.
- Finally, similar to step 3, click the Actions drop-down menu and then select Deploy API. Select Development on deployment stage and then Deploy. (Deployment could take a couple of minutes).
Unauthenticated Requests
You can use the API category to access API Gateway endpoints that don't require authentication. In this case, you need to allow unauthenticated identities in your Amazon Cognito Identity Pool settings. For more information, please visit Amazon Cognito Developer Documentation.
Cognito User Pools Authorization
You can use the JWT token provided by the Authentication API to authenticate against API Gateway directly when using a custom authorizer.
async function postData() { const apiName = 'MyApiName'; const path = '/path'; const myInit = { headers: { Authorization: `Bearer ${(await Auth.currentSession()) .getIdToken() .getJwtToken()}` } };
return await API.post(apiName, path, myInit);}
postData();
Note that the header name, in the above example 'Authorization', is dependent on what you choose during your API Gateway configuration.
Token-based Lambda authorization
You need to provide an authorization token to authenticate against API Gateway when using token-based Lambda authorizer
async function postData() { const apiName = 'MyApiName'; const path = '/path'; const myInit = { headers: { Authorization: 'Authorization_token' } };
return await API.post(apiName, path, myInit);}
postData();
Note that the header name, in the above example
Authorization
, is dependent on what you choose during your API Gateway configuration.