Multi-pool CognitoAuthorizer only accepting id token from first-listed pool


I have a RestApi declared with Cloudformation using AWS::Serverless::Api and created a default cognito authorizer there and declaring a UserPoolArn pointing to my UserPool1's.

Then, I created a custom resource, with RestApiId and a UserPool2ARN properties, so it could find (the APIG's authorizers) and add the second pool into the CognitoAuthorizer.

It seems to work, AWS Console API Gateway Authorizers page shows the CognitoAuthorizer with TWO different pools.

But the problem is when I "initiateAuth" different users from each pool to get an "idtoken", only the idtoken from the first-listed pool is going through. The idtoken from the other pool gets an unauthorized.

1 Answer

First, you should not use the ID Token to consume an API but the Access Token.

Second, as you use the Identity Token authentication method, you must has configured the Token validation field in the Cognito authorizer which should match the aud claim of the identity token [client id value] issued by the first user pool. As Client id value as unique per user pool, the identity token issued by the second user pool will never have this aud claim set to the right value and therefore will always fail the check.

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions