I was trying to get my API gateway work with Cognito user pools authorizer but I cannot seem to get it to work. I am not using any SDK as of now. Some details - for Cognito pool, I have setup ID provider as cognito user pool, Oauth flow 'impilicit grant' & scope as 'openid'. Created an app (& domain) with client secret also generated. Email is the only field. - on API gateway I added the same user pool for cognito auth & header as 'Authorization'. No scope was added and no token validation.
I use Cognito's default sign-in page to log in & retrieve the 'id_token' (present in URL after sign in) & use that in postman to fire my API to a '401 unauthorized'. I use the same token in the API gateway authorizer test tool & i still get unauthorized. So clearly my token is the problem.
I have already tried various combinations of oauth flows & scopes & api gateway with lambda integration to creating another one with mock integration. Also created different user pools & apps with & without client secret, to same error.
I would have been fine with above not working (believing an error on my part) but the same thing works for a colleague who tried. Only difference is, after log-in, he directed to a localhost page where he captured the same 'id_token' & hit API gateway with that token, successfully.
So I can't figure out what the difference is? Is it not supposed to work the way I am trying?
Some cloudwatch access logs when i hit the API from postman. (also tried curl)
{ "requestId": "bb9ba6a2-6c25-11e8-b024-530b33bce48d", "ip": "x.x.x.x", "caller": "-", "user": "-", "requestTime": "09/Jun/2018:20:43:15 +0000", "httpMethod": "GET", "resourcePath": "/test", "status": "401", "protocol": "HTTP/1.1", "responseLength": "26", "authProvider": "-", "authType": "-", "claimProperty": "-", "property": "-", "principalId": "-" }
Thanks. Any help is appreciated.