Removal of User Authentication for custom API build - Cognito about enhanced-document-understanding-on-aws HOT 13 CLOSED

Hello @Komal-99 , thank you for reaching out. We have not tested this completely. But to start with there are few things you can do

1. Remove this line. This is a amplify authentication decorator.
2. On the ApiGateway remove the following line.

If these dont work, you can try removing request header for Authorization token as on this line. IMO, this change is not required, but if request validation fails, you may need to remove it.

Let us know if you face any issues.

from enhanced-document-understanding-on-aws.

Just to make sure , I Have followed

this and updated mappings and then deployed it. I successfully got an API url but when I try to hit POST request from postman on that url to create case it returns a 403 error as message: forbidden.

So I am Guessing this is auth error as if we use it with UI, we need to first signup or login but from Postman I am directly making a request to create new case.

Do clarify me If I am thinking in a wrong direction.

from enhanced-document-understanding-on-aws.

Yes the API requires an Auth token header, generated by the Cognito service. You have 2 options,

1. if you want to remove the API Authorizaation, you can do so from AWS Console, navigating to ApiGateway, look up for Authorizer and delete the underlying configuration.
2. You can generate the id token. Refer this link.

If you are not looking to remove Auth permanently and only need to bypass for testing, I would suggest go with option 2.

Note: you can also test the API from the AWS console under ApiGateway. This way you would not require any authentication.

from enhanced-document-understanding-on-aws.

Yes, as my project already have user authentication , I need to remove this auth and directly hit the api

from enhanced-document-understanding-on-aws.

As a security best practice, you should have APIs protected with Authentication. Instead of using Cognito, if you have a different authentication provider, you can configure a custom authorizer and integrate it with ApiGateway. An ApiGateway endpoint is a public endpoint, unless you make it private link. For public endpoints anyone with information about the URL would be able to execute a GET/ POST request. So my suggestion would be to review your architecture from a security lens, for the need to have authentication for APIs too.

from enhanced-document-understanding-on-aws.

For security reasons, we cannot add a feature to remove Authentication. Hence will be closing the ticket. If you have any further questions. Feel free to re-open this ticket or create a new one.

from enhanced-document-understanding-on-aws.

No need to add a feature for removing authentication, the concern of this ticket was only to understand where we can tweak things as per our needs. and yes agree on the security concern, can you provide more details to configure the custom authorizer? For ex- I have Google auth when a user login on to my website and after that he is directed to the dashboard where he can perform operations out of them one will be to upload the documents and get text extraction done to get formated results and To make sure that only authenticated user who has access to my website can hit API.

from enhanced-document-understanding-on-aws.

You can configure Cognito with OAuth2.0 flow. Few changes to be made:

1. The App.js would look similar to the following link. This is from another solution.
2. In the account/ region where the solution is deployed, there would be a Cognito User Pool. This pool's configuration would need to be changed as here

from enhanced-document-understanding-on-aws.

Hi!
The above template is the template we used on cloudformation. Under the Mappings section we configured RedactionWorkflow, CustomDashboard and WebApp as "No". Now we just want to call the API and we have removed the authorizers. Again, it gives Status Code 403: Forbidden.

Kindly Help!

from enhanced-document-understanding-on-aws.

Hi, We are not able to Fix the issue as of now. We have changed AuthorizationType from "COGNITO_USER_POOLS" to "NONE" and remove AuthorizerId key wherever specified in Mappings template.

But still when deploying it creates a User.

and shows this error at API URL and from postman passing {'caseName':"TEST"} giving 403 forbidden error.

@knihit Please help us we are unable to understand out mistake.

from enhanced-document-understanding-on-aws.

There should a lambda function by the namerequestprocessor. Can you please check the logs. We pass the auth token to the lambda to extract the user. So when I tried removing the authorizer from ApiGW, I can see the request going to the lambda function, but it errors out because it expects a token

    at jwtDecode (/opt/nodejs/node_modules/common-node-lib/node_modules/jwt-decode/build/cjs/index.js:40:15)
    at exports.decodeJwtToken (/opt/nodejs/node_modules/common-node-lib/cognito/decode-jwt-token.js:25:16)
    at exports.getUserIdFromEvent (/opt/nodejs/node_modules/common-node-lib/cognito/decode-jwt-token.js:38:29)
    at exports.handler (/var/task/index.js:50:38)

Now you can remove the call to check the access token and retrieve the userId. An example of this call is here, but you are going into uncharted territory. The DynamoDB table design also takes into account the user information. Also note that anything which says SharedLib is under the lambda/layers/common-node-lib folder. IMO, using Federated sign-in would still be the easier option rather than removing Authentication.

Note: The application is designed to be user aware. It has to know if a user information was supplied as it is using that process to cases/ documents. If you remove Auth, you would somehow need to get a user dynamically or make it static.

from enhanced-document-understanding-on-aws.

Note that I close the issue, but you want to continue on this thread, please consider re-opening the ticket or creating a new issue.

from enhanced-document-understanding-on-aws.

In the UI, you would also need to change the following line to

export default App

basically removing the withAuthenticator call.

from enhanced-document-understanding-on-aws.