Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
API Gateway HTTP API with JWT Authorizer for Cognito M2M access token
I created a Cognito User pool with a resource server and an app client for client M2M (client_credentials). In API Gateway I created a HTTP API endpoint (not REST) with a JWT Authorizer. I could get it running when I pasted the client_id of my app to the audience setting of the Authorizer. The challenge is that I want to provide a self service app registration for accessing the endpoint and a) I don't want to add all client ids to the authorizer and b) it is limited to 50 entries. In the end I just want to check an audience value that is generic across all registered client apps. Actually I do not want perform an audience check at all, but I have to enter at least one audience. It seems that I cannot set that anywhere. I inspected the access token I get after a client_credentials token request and it does not contain an aud property at all. Can anyone help me out with an idea or suggestion? Thank you in advance.
- Language
- English
- Newest
- Most votes
- Most comments
This is a common challenge with AWS Cognito and API Gateway JWT authorizers. Let me help you with a few potential solutions:
-
Using Resource Server Identifier:
{ "UserPoolId": "your-user-pool-id", "ResourceServer": { "Identifier": "https://api.yourdomain.com", "Name": "your-resource-server" } }
When you create a resource server in Cognito, its identifier becomes the audience in the tokens. You can:
Set a single, generic identifier for your resource server
Use this same identifier in the JWT authorizer's audience field
All client credentials tokens will then contain this audience
2. Custom Solution with Lambda Authorizer: If the JWT authorizer limitations are too restrictive, you can switch to a Lambda authorizer:
exports.handler = async (event) => { const token = event.headers.authorization; // Verify token using cognito-jwt-verify or similar // Implement your own audience validation logic return { isAuthorized: true, context: { // Additional context if needed } }; };
-
Update Token Configuration: You can modify the OAuth2.0 scopes and token configuration in your app client settings:
aws cognito-idp update-resource-server
--user-pool-id your-user-pool-id
--identifier your-identifier
--name your-resource-server-name
--scopes ScopeName=your-scope,ScopeDescription=description
If you absolutely need to avoid audience validation:
Consider using a Lambda authorizer instead of JWT authorizer
Use token scopes for authorization instead of audience
Implement custom validation logic based on other token claims
I created a resource server with an identifier of "my-sample-api-identifier" and a custom scope "access". In my App Client registration in "Edit managed login pages configuration" I added the custom scope to "Custom scopes". Then I requested an access token from the token endpoint using the custom scope. I inspected the access token, but there is no "aud" attribute. So it seems that 1. potential solution does not work? Or am I missing a piece?