Certificate-Bound Access Tokens using Amazon API Gateway and Amazon Cognito

Route53 Custom Domain → Amazon API Gateway REST API → AWS Lambda

Implement certificate-bound access tokens for custom domain with API Gateway and Cognito user pools

This pattern creates an Amazon API Gateway REST API and enables mTLS for a custom domain.

Further, it creates a Cognito User Pool, which issues the certificate-bound access tokens.

The REST API makes use of an authorizer to compare the 'cnf' claim in the access token to the fingerprint of the client certificate sent as part of the mutual authentication TLS handshake

< Back to all patterns

Language:: Python
Framework:: AWS SAM

Download this pattern (.zip)

View this pattern on GitHub

Clone repo

git clone https://github.com/aws-samples/serverless-patterns/cd serverless-patterns/apigw-cognito-certificate-bound-access-token

Deploy

sam deploy

Testing

See the GitHub repo for detailed testing instructions.

Cleanup

Delete the stack: sam delete.

Additional resources

API Gateway mTLS

OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens

Created by:

Kevin Draai

Senior Cloud Support Engineer

Follow on LinkedIn