For the most recent update on ongoing service disruptions affecting the AWS Middle East (UAE) Region (ME-CENTRAL-1), refer to the AWS Health Dashboard. For information on AWS Service migration, see How do I migrate my services to another region?
API Gateway with Cognito User Pool: Unauthorised
Hi, I have a Cognito user pool and an app client. I have created a user that generated access_token and id_token I created an API Gateway resource and added an Authoriser using my Cognito Pool. The idea is that I will not use an IAM role but use the Cognito user pool email + password to invoke an API. Now, when I test Test authorizer with id_token it works but if I test it with Postman it does not.
I looked for a lot of documentation but there is also no step by step guidance. In Postman, I add Authorization as Header and put my access_token. I tried several variations with Authentication type Bearer. None of them worked. I created custom scopes, none of them worked. Can you help me?
my invoke URL: https://xxxxx.execute-api.eu-west-1.amazonaws.com/test I want to do a POST request for https://xxxx.execute-api.eu-west-1.amazonaws.com/test/mock/StartJob I added authorization scope https://xxxx.execute-api.eu-west-1.amazonaws.com/test/auth I created this resource /auth I also created a custom scope in my Cognito domain, scope auth, with resource server identifier both https://xxxxx.execute-api.eu-west-1.amazonaws.com/test and https://xxxxx.execute-api.eu-west-1.amazonaws.com with scope auth. I also removed it and vice versa tested all combinations Sometimes it was unathorised Sometimes it was Message": "User: anonymous is not authorized to perform: execute-api:Invoke on resource: ONLY IF I USED ID_TOKEN I just cannot find any documentation that explains what is the issue.
- What custom scopes do I need, if thats the issue? I just cant seem to get it right
- Can I not use id_token to invoke API
- Is it a policy issue? I also cannot get this right.
Thank you in advance.
- Language
- English
- Newest
- Most votes
- Most comments
Based on the information provided, it seems you're encountering some common issues when integrating Amazon Cognito with API Gateway. Let's address your questions and provide some guidance:
-
Custom scopes: Custom scopes are typically used with access tokens, not ID tokens. If you're using an access token, you need to ensure that the custom scopes you've defined in your Cognito user pool match the scopes you've configured on your API Gateway methods. However, it's not always necessary to use custom scopes if you're just looking for basic authentication.
-
Using ID token vs Access token: You can use either an ID token or an access token to invoke an API, but they serve different purposes:
- ID token: Used for authentication and contains claims about the user's identity.
- Access token: Used for authorization and contains scopes that define what actions the user can perform.
For simple authentication scenarios, using the ID token is often sufficient. If you're using the ID token, you don't need to configure custom scopes.
- Policy issues: If you're seeing the "User: anonymous is not authorized to perform: execute-api:Invoke" error, it suggests that the token is not being properly recognized or validated by API Gateway. This could be due to incorrect configuration of the Cognito User Pools authorizer in API Gateway.
To troubleshoot and resolve your issues:
-
In API Gateway, ensure your Cognito User Pools authorizer is correctly configured:
- Verify that the correct Cognito User Pool is selected.
- Check that the Token Source is set to "Authorization" (this is the header name Postman should use).
-
In Postman:
- Set the Authorization type to "Bearer Token".
- In the Token field, paste your ID token (not the access token).
- Ensure the token is fresh and not expired.
-
If you decide to use access tokens and custom scopes:
- In Cognito, create a resource server with the custom scopes you need.
- In API Gateway, for each method that requires authorization, specify the full scope names (e.g., https://your-api-id.execute-api.region.amazonaws.com/stage/scope-name) in the method's authorization settings.
-
Double-check your API's deployment:
- Make sure you've deployed your API after making any changes to the authorizer or method settings.
-
Verify your Cognito app client settings:
- Ensure that the app client used to obtain the token is configured to allow the grant types you're using (e.g., authorization code, client credentials).
If you're still encountering issues after trying these steps, you may need to review your API Gateway logs or CloudWatch logs for more detailed error messages that could point to the specific problem.
Sources
Configuring machine to machine Authentication with Amazon Cognito and Amazon API Gateway – Part 2 | AWS Cloud Operations Blog
Trouble get access to API GAteway with Cognito UserPool | AWS re:Post
Integrate a REST API with an Amazon Cognito user pool - Amazon API Gateway
Control access to REST APIs using Amazon Cognito user pools as an authorizer - Amazon API Gateway
Accessing resources with API Gateway after sign-in - Amazon Cognito
