***FOUND BUG*** API Gateway / Cognito Authorizer

0

I have encountered a bug in the api gateway / cognito authorizer testing framework in the AWS api gateway console. By Default, cognito generates JWT tokens for use as client OAuth authentication workflow tokens. Two types of tokens are generated per user in a cognito user pool on login, the access_token and the id_token. Throughout the cognito documentation these terms are used interchangeably and without distinction, HOWEVER they have VERY different use cases.

In the API Gateway console, the cognito authorizer TEST METHOD accepts an ID_TOKEN and provides a valid response, but fails using ACCESS_TOKEN. HOWEVER, if you access the api from HTTP / HTTPS, the cognito authorizer accepts an ACCESS_TOKEN and provides a valid response, but fails using ID_TOKEN. The documentation for api gateway cognito authorizer fails to make this distinction and I lost many hours of personal development time to this issue.

If support staff can access this issue and provide feedback that would be greatly appreciated (both by me, and any other client using cognito).

2 回答
0

Access Token should be used to AuthZ as they contain claims attributes. So when AuthN and AuthZ is used please use Access Token with claims while accessing your APIs. You can AuthZ user using claims

ID Token has only Identity of user basically email, phone etc it does not have claims AuthZ user to a specific API. This is used to validate the user identity only. So when using "Test" in authorize ID Token is use as its just validating Cognito connectivity and Token validity.

In real world use Access Token with claims in API gateway as API gateway always looks for claims.

AWS
Pravo
已回答 2 年前
0

As mentioned in following AWS documentation snippet, the Cognito Authorizer Test Panel expects Identity Token. Using Access Token there would return Unauthorized error.

After creating the COGNITO_USER_POOLS authorizer, you can optionally test invoke it by supplying an identity token that's provisioned from the user pool. You can obtain this identity token by calling the Amazon Cognito Identity SDK to perform user sign-in. You can also use the InitiateAuth action. Use the returned identity token, not the access token. Reference: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-enable-cognito-user-pool.html

AWS
支持工程师
Udit_P
已回答 9 个月前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则