Yep. You could write a chalice app like this using the chalice.Response object to respond with a redirect to the appropriate webpage:

from chalice import Chalice, Response

app = Chalice(app_name='redirect')


@app.route('/')
def index():
    return Response(
        status_code=301,
        headers={'Location': '<my-oauth-page>'},
        body=''
    )

Let us know if that helps.

Yes that makes sense for general Oauth. But I'm talking about AWS Cognito. Can't we streamline the solution a bit more. Would be nice if I could just return a one liner that redirects user to Cognito Oauth and get's the appropriate keys.

I'd like to build an app with Chalice with some semblance of User Management. Where users could login/create account, save data, and display it. Thought I would be able to do this with Cognito...

Here's what I'm looking for:

1. Add authorizer
2. Unauthorized users get redirected to generated Oauth page for signup/login
3. Once, authorized, easy ability to store variables for the user like here

I agree the documentation is lacking on how to use Cognito. I think part of the confusion is because of the distinction between using Chalice for web based API access and the expectation of Chalice endpoints being used in the middle of a workflow that already has something like a Cognito JWT.

So to hopefully give an example of what I've gotten to work, my current approach has been to setup a test user and run something like:

from warrant import Cognito
import requests

# use warrant to authenticate a test user
u = Cognito('XXX_YOUR_USER_POOL_ID', 'XXX_YOUR_CLIENT_ID', username='test_user')
u.authenticate(password='testtest')

# now you can hit authorized endpoints from chalice that are backed by the cognito pool
r = requests.get('https://YOUR_CHALICE_REST_API_ID.execute-api.YOUR_AWS_REGION.amazonaws.com/api/',  headers={'Authorization': u.id_token})
print r.text

I think Chalice was meant to be placed into a workflow. By supporting the Cognito authorizer it allows for endpoints to be protected and return an appropriate API result based on the request.

@jamesls correct me if I've misspoke!

@nitrag another example of using Cognito is in the Ionic AWS Starter. They give a lot of nice setup for getting a session. Then you can access the token directly and make API calls with session.getIdToken().getJwtToken(); just like in the user.ts file (I modified this to return the session object so that I have access to all tokens as needed). Something like:

import {Injectable} from "@angular/core";
import {Http, Headers, RequestOptions} from "@angular/http";
import 'rxjs/add/operator/map';
import {User} from "./user";

declare var AWS: any;
declare var AWSCognito: any;

@Injectable()
export class MyProvider {
  url;
  headers;
  options;

  constructor(public http: Http, public user: User) {
    console.log('Hello My Provider');
    this.url = 'https://MY_CHALICE_PREFIX.execute-api.us-west-2.amazonaws.com/api';
    this.headers = new Headers();
    user.isAuthenticated().then((res: any) => {
      this.headers.append('Authorization', res.getIdToken().getJwtToken());
      this.options = new RequestOptions({headers: this.headers})
    });

  }

  getMyPermissions() {
    return this.http.get(this.url + '/auth/my_permissions', this.options)
      .map(res => res.json())
  }

}

The Cognito SDK documentation is definitely lacking. Hopefully these quick examples of what worked for me will help others. Like I mentioned previously, Chalice makes the backend services extremely easy to implement, integrate with Cognito, and deploy. It's the rest of the spaghetti I've found unclear :D

I agree we should get our documentation updated. There's nothing in chalice right now that generates login pages for you. That functionality is provided by cognito user pools directly, but we may be able to make that easier.

As for as the cognito user pools authorizer, @wollerman is correct. The authorizer requires the jwt id token from the login process to be provided in the Auth header.

I typically use https://github.com/aws/amazon-cognito-identity-js/ (and its CognitoUser.authenticateUser) to handle the SRP auth portion, and then send the result.getIdToken().getJwtToken() to chalice.

Labeling this as documentation, we'll get our docs updated.

Updating link to active repo

https://github.com/aws-amplify/amplify-js/tree/master/packages/amazon-cognito-identity-js