API Gateway - JWT Authorizer - unable to decode "n" from RSA public key

Question

I have trouble getting the JWT Authorizer on my API Gateway working. The API Gateway works fine, when I remove the authorizer, so the problem should be with the authorizer.

I am using OpenID token which I get from [Cognito Identity GetOpenIdTokenForDeveloperIdentity](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdTokenForDeveloperIdentity.html) request.

All the request just respond with the following (excerpt from `curl -i` output):
```
www-authenticate: Bearer scope="authenticated" error="invalid_token" error_description="unable to decode "n" from RSA public key"

{"message":"Unauthorized"}
```

As far as I understand the `error_description` complains about not being able to read the "n" parameter from [here](https://cognito-identity.amazonaws.com/.well-known/jwks_uri). But since I have no control over this, I'm unsure what I need to do to get this working.

Answer

Get the certificate from the user pool that generated the toekn:
https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html
https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json

and Generating a correct signature requires a host header:
httpRequest.headers.host = 'xxxxxxx.execute-api.region.amazonaws.com'

API Gateway - JWT Authorizer - unable to decode "n" from RSA public key

관련 콘텐츠