## Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. ## SPDX-License-Identifier: MIT-0 AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: Cognito to API Gateway HTTP API (JWT) Parameters: Client: Description: Client website for authentication redirects and cors (must start with https://) Type: String Default: https://myapp.com TestWithPostman: Description: Do you need to test with Postman? (Not recommended for production) Type: String Default: "false" AllowedValues: - "true" - "false" Resources: # Creates a nested stack with the required Cognito requirements AuthStack: Type: AWS::Serverless::Application Properties: Location: ./auth.yaml Parameters: ClientDomain: !Ref Client Postman: !Ref TestWithPostman # Creates an API Gateway HTTP API endpoint with JWT authorization AppApi: Type: AWS::Serverless::HttpApi Properties: Description: Cognito to HTTP API demo CorsConfiguration: AllowMethods: - GET AllowOrigins: - !Ref Client Auth: Authorizers: OAuth2Authorizer: AuthorizationScopes: - email IdentitySource: "$request.header.Authorization" JwtConfiguration: issuer: !GetAtt AuthStack.Outputs.Issuer audience: - !GetAtt AuthStack.Outputs.UserPoolClientId DefaultAuthorizer: OAuth2Authorizer AppFunction: Type: AWS::Serverless::Function Properties: CodeUri: src/ Handler: app.handler Runtime: nodejs14.x Events: AppApi: Type: HttpApi Properties: ApiId: !Ref AppApi Path: / Method: get Outputs: AppApiEndpoint: Description: API Endpoint Value: !Sub "https://${AppApi}.execute-api.${AWS::Region}.amazonaws.com" AuthUrl: Description: Url used to authenticate Value: !GetAtt AuthStack.Outputs.AuthUrl ClientId: Description: Application client ID Value: !GetAtt AuthStack.Outputs.UserPoolClientId