By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Api gateway auth failing because cognito passes id_token param with # instead of ?

0

I have an http api integration with cognito authorizer and I'm using implicit grant, the id_token is passed in the url as: https://abc.eu-central-1.amazonaws.com/abc#id_token=xyz My api gateway has Identity Source config as: $request.querystring.id_token The api gateway is failing to parse the id_token and ends up returning {"message":"Unauthorized"}. If I change the request manually to use ? instead of # infront of id_token everything works fine because hash fragments are not sent to the server: https://abc.eu-central-1.amazonaws.com/abc?id_token=xyz Any ideas how to sort this issue without changing the auth type? I can't believe I'm spending a day on such an issue.

Topics
ServerlessFront-End Web & MobileNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon API GatewayAmazon Cognito
Language
English
fouad
asked a year ago273 views
2 Answers
0
Accepted Answer

Using the hash fragment of the URL is related to the OpenID Connect Core 1.0 standard section 3.2.2.5. Successful Authentication Response

When using the Implicit Flow, all response parameters are added to the fragment component of the Redirection URI

Advice under 3.2.2.7. Redirect URI Fragment Handling is:

Since response parameters are returned in the Redirection URI fragment value, the Client needs to have the User Agent parse the fragment encoded values and pass them to on to the Client's processing logic for consumption.

Are you redirecting from Cognito directly to API Gateway?

However, per Amazon Cognito - Authorize endpoint "An implicit grant is less secure because it exposes tokens and potential identifying information to users" and it is more secure to use an authorization code grant. The code is returned in the query string parameters and not in the fragment.

profile pictureAWS
hakanson
answered a year ago
  • fouad
    a year ago

    Yes I wanted to redirect from Congito to ApiGateway directly, but couldn't get hold of the token on the Http ApiGateway side not via QueryString nor via the Authorization header even as it wasn't getting populated also. What I ended up doing is build a small client that I redirect from Cognito, the parses the token and then do request to ApiGateway with token as QueryString value. It doesn't sound smart but that's all what I'm left with!

  • hakanson
    a year ago

    Beware that tokens are credentials, and show up in access logs when on Query String, and could be used to make additional requests. See https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/ about the authorization code grant which can be exchanged for the desired tokens based on a code_challenge. Can you do this code for token exchange in your API Gateway logic?

  • fouad
    a year ago

    Yes, I'm aware of that, the whole solution was simple about a lambda displaying some html response, there is not much security concern about it. At the end to get a token needs a valid credentials and if someone is able to get access to access logs to get the token that means they are authorized otherwise it's a different problem.

0

HI

we are trying to redirecting from Cognito directly to API Gateway, which show us {"message":"Unauthorized"} not sure what we are doing wrong

Thanks Siddharth

upon cloud
answered a year ago
  • fouad
    a year ago

    This is not possible to do it directly, you need something between cognito and api gateway to parse the toke or token from code and pass it again to the api gateway via Authorization header

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content