10
votes

I was trying to get my API gateway work with Cognito user pools authorizer but I cannot seem to get it to work. I am not using any SDK as of now. Some details - for Cognito pool, I have setup ID provider as cognito user pool, Oauth flow 'impilicit grant' & scope as 'openid'. Created an app (& domain) with client secret also generated. Email is the only field. - on API gateway I added the same user pool for cognito auth & header as 'Authorization'. No scope was added and no token validation.

I use Cognito's default sign-in page to log in & retrieve the 'id_token' (present in URL after sign in) & use that in postman to fire my API to a '401 unauthorized'. I use the same token in the API gateway authorizer test tool & i still get unauthorized. So clearly my token is the problem.

I have already tried various combinations of oauth flows & scopes & api gateway with lambda integration to creating another one with mock integration. Also created different user pools & apps with & without client secret, to same error.

I would have been fine with above not working (believing an error on my part) but the same thing works for a colleague who tried. Only difference is, after log-in, he directed to a localhost page where he captured the same 'id_token' & hit API gateway with that token, successfully.

So I can't figure out what the difference is? Is it not supposed to work the way I am trying?

Some cloudwatch access logs when i hit the API from postman. (also tried curl)

{ "requestId": "bb9ba6a2-6c25-11e8-b024-530b33bce48d", "ip": "x.x.x.x", "caller": "-", "user": "-", "requestTime": "09/Jun/2018:20:43:15 +0000", "httpMethod": "GET", "resourcePath": "/test", "status": "401", "protocol": "HTTP/1.1", "responseLength": "26", "authProvider": "-", "authType": "-", "claimProperty": "-", "property": "-", "principalId": "-" }

Thanks. Any help is appreciated.

2

2 Answers

22
votes

Turned out to be a really idiotic mistake of copying the access_token as well. With the right id_token it worked. Took me 2 days to figure it out!!!

1
votes

I'd like to submit another really dumb reason why this was not working - definitely do everything in addition to everything that the accepted answer mentioned:

I was performing my testing and validation on Postman. I added in the Authorization header and passed in my id_token. However, I never ticked the checkbox to actually include the header in my actual request: enter image description here Hope this might save someone out there from spending hours debugging every possible configuration on API Gateway and Cognito only to realize I was never sending the header in the first place!