Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

API Gateway - How to accept Authorization with Bearer keyword - HTTP API

0

API Gateway HTTP usign Cognito requires JWT token to be included in Authorization Header. This is a problem when testing against Swagger Editor, which includes "Bearer" keyboard in Authorization Header. Is there a way to configure API Gateway to accept JWT with Bearer keyword?

OpenAPI Schema:

   securitySchemes:
        AwsOAuth2:
            type: oauth2
            flows:
              implicit:
                authorizationUrl: https://auth.ourdomain.com/login
                scopes:
                  aws.cognito.signin.user.admin: Gives you access to all the User Pool APIs that can be accessed using access tokens alone
                  email: Grants access to the email and email_verified claims. This scope can only be requested with the openid scope.
                  openid: Returns all user attributes in the ID token that are readable by the client. The ID token is not returned if the openid scope is not requested by the client.
                  phone: Grants access to the phone_number and phone_number_verified claims. This scope can only be requested with the openid scope.
                  profile: Grants access to all user attributes that are readable by the client. This scope can only be requested with the openid scope.
            x-amazon-apigateway-authorizer:
              identitySource: "$request.header.Authorization"
              jwtConfiguration:
                audience:
                - "xxxxxxxx"
                issuer: "https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1_xxxxxxx"
              type: "jwt"
security:
  - AwsOAuth2: []

Generates following curl request in OpenAPI Swagger Editor:

curl -X 'GET' \
  'https://api.ourdomain.com/0.5/app-user/heyho' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer eyJraWQiOiJ1aVcwc3Exxxxxxxxxxxx'

Problem is, that this gets rejected by API Gateway HTTP when integrating with Cognito. It requires header like this (without Bearer):

  -H 'Authorization: eyJraWQiOiJ1aVcwc3Exxxxxxxxxxxx'
Topics
ServerlessFront-End Web & MobileNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon API GatewayServerlessAmazon Cognito
Language
English
asked 3 years ago5.4K views
1 Answer
1
Accepted Answer

Assuming you are using the HTTP API with a JWT Authorizer, that should not be an issue. Please take a look at this document - https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-jwt-authorizer.html

If you look at this section

Authorizing API requests API Gateway uses the following general workflow to authorize requests to routes that are configured to use a JWT authorizer.

Check the identitySource for a token. The identitySource can include only the token, or the token prefixed with Bearer .

So adding the token pre-fixed with Bearer is acceptable. The problem could be somewhere else.

AWS
EXPERT
answered 3 years ago
EXPERT
reviewed 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content