AWS Api Gateway Authorizer + Cognito User Pool Not Working {“message”: “Unauthorized”}

22
votes

I am trying to use aws api gateway authorizer with cognito user pool. It is working fine when i test using aws api gateway console.

But when i try enabling the authorization in the api it says "message": "Unauthorized". Please check below screenshot

API Gateway Console Screenshot - This works fine enter image description here

Postman Screen shot - Not working enter image description here

Can someone help please.

FYI I have followed the instructions as mentioned here http://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html

8
amazon-web-servicesaws-api-gatewayaws-cognito
Is it just username rather than cognito:username? I haven't used that exact method, but I'm not sure that part is right. - Art Ianuzzi
cognito:username is the response i get for successful authorization. Even I get same type of issue for custom authorize also. For sure am doing something silly but cannot figure it out. If someone can help that would be great.. - Manivannan Guru
I'm sorry, I mistook that for your code. Postman is saying there are 12 headers in the response. Can you post those? - Art Ianuzzi
Also, you should try sending the request using the code in the AWS SDK as well as the Cognito SDK, because there are request headers that you may be missing in the Postman request. Finally, look at the headers in the request (from inspect/network in the browser) and make sure your AWS policy matches those headers exactly or you'll have CORS issues. See: docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/… - especially step 4 - Art Ianuzzi
Sorry for the delay, due to project urgency as of now I have I have created a lambda function and pointed it to custom authorizer. I have decoded the jwt (access token from cognito) in the lambda as per below link. This works pretty well for now. aws.amazon.com/blogs/mobile/… Will check your reply and let know the results - Manivannan Guru

8 Answers

34
votes

In my case, authorization code should be id_token. I made a mistake for using access_token instead

12
votes

The below steps fixes the problem for me. In short, there seems to be a bug in AWS API Gateway. You can fix it by re-deploy the API:

  1. Change the Request Validator from NONE to Validate Body
  2. Actions -> Deploy the API -> choose the stage you want to deploy it to.
  3. Change the Request Validator from Validate Body to NONE
  4. Redo step 2.

enter image description here

6
votes

I tried Mathias' solution out and it didn't work at first. Oddly, I can back to it hours later and tried again, and this time made some other changes to my API gateway before deploying the API. This time it worked, even though the other changes that I made were superficial.

Also, as is so often the case, the AWS docs are wrong, stating that you should use method.response.header.Authorization. This is really only valid for Lambdas using custom auth. You should indeed use just Authorization here when you are using the new Cognito User Pool Authorizer.

  1. Use Authorization not method.response.header.Authorization
  2. Make a superficial change to your resource in API Gateway
  3. Deploy your API and wait a second

-- edit --

I was just converting my stack to Cloudformation and found out that if you are using Cloudformation to deploy the Authorizer, you do in fact need to specify the full method.response.header.Authorization for the token source. In fact, a stack deploy will fail if you don't use that format. However, once deployed, if you look at the Authorizer in the console, it will have dropped the method.response.header part.

3
votes

I had the same issue like you and realized that I entered a wrong Token Source.

Enter in <your API> -> Authorizers -> Token Source the name of the HTTP header where the API gateway has to look for the token. (in your case Authorization)

Save it and don't forget to deploy before you test it out.

enter image description here

3
votes

I had the same issues, the solution was just to redeploy the project.

2
votes

Try below 3 steps (do not forget to deploy API) and try to send a request with POST man

  1. Cache

enter image description here

  1. Settings of Method Request

enter image description here

  1. Deploy API

enter image description here

2
votes

If you are not checking scope at OAuth Scopes in method execution block of API gateway it will only take id-token.

Once you will have set OAuth scope restriction on request it will start taking access token automatically.

0
votes

Changing the Token Source in the Authorizer to something other than Authorization (eg: authorization) then deploying the API and giving that in Postman's headers worked for me. No matter what we call the header, it will be translated and used by API gateway I guess.