I am configuring an app with various frontends (mobile and web apps) and a single API backend, powered by Lambda and accessed via AWS API Gateway.
As I'm planning to use Cognito to authenticate and authorize users, I have set up a Cognito User Pool authorizer on my API Gateway and several API methods.
With an architecture like this, it seems logical that my apps (e.g. an iOS or Vue.js app) are the Client applications from an OAuth perspective, and my API Gateway backend is a Resource Server. Based on this Auth0 forum post it seems clear that I should therefore use an ID token in my client app, and pass an Access Token to authorize my API Gateway resources.
When I hit the Cognito /oauth2/authorize
endpoint to get an access code and use that code to hit the /oauth2/token
endpoint, I get 3 tokens - an Access Token, an ID Token and a Refresh Token. So far so good, as I should have what I need.
This is where I've run into difficulties - using the test function on the API Gateway Cognito User Pool Authorizer console, I can paste in the ID token and it passes (decoding the token on-screen). But when I paste in the Access Token, I get 401 - unauthorized
In my Cognito setup, I have enabled Authorization Code Grant
flow only, with email
and openid
scopes (this seems to be the minimum allowed by Cognito as I get an error trying to save without at least these ticked).
Do I need to add some specific scopes to get API Gateway to authorize a request with the Access Code? If so, where are these configured?
Or am I missing something? Will API Gateway only allow an ID token to be used with a Cognito User Pool Authorizer?