***FOUND BUG*** API Gateway / Cognito Authorizer


I have encountered a bug in the api gateway / cognito authorizer testing framework in the AWS api gateway console. By Default, cognito generates JWT tokens for use as client OAuth authentication workflow tokens. Two types of tokens are generated per user in a cognito user pool on login, the access_token and the id_token. Throughout the cognito documentation these terms are used interchangeably and without distinction, HOWEVER they have VERY different use cases.

In the API Gateway console, the cognito authorizer TEST METHOD accepts an ID_TOKEN and provides a valid response, but fails using ACCESS_TOKEN. HOWEVER, if you access the api from HTTP / HTTPS, the cognito authorizer accepts an ACCESS_TOKEN and provides a valid response, but fails using ID_TOKEN. The documentation for api gateway cognito authorizer fails to make this distinction and I lost many hours of personal development time to this issue.

If support staff can access this issue and provide feedback that would be greatly appreciated (both by me, and any other client using cognito).

1 Answer

Access Token should be used to AuthZ as they contain claims attributes. So when AuthN and AuthZ is used please use Access Token with claims while accessing your APIs. You can AuthZ user using claims

ID Token has only Identity of user basically email, phone etc it does not have claims AuthZ user to a specific API. This is used to validate the user identity only. So when using "Test" in authorize ID Token is use as its just validating Cognito connectivity and Token validity.

In real world use Access Token with claims in API gateway as API gateway always looks for claims.

answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions