I have created a lambda authorizer for validation, in AWS Cognito.
The user sends a login request to AWS Cognito and after successful login gets the ID token.
There are different set of APIs, for which I need to use the Lambda authoriser.
For these API requests, the user passes the ID token as the authorisation header and passes the user pool ID as the path parameter.
In my custom lambda function, I validate this ID token (JWT token)
When the lambda function is called, it gets the AWS Cognito public key for this user pool by calling the URL
https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json
I parse this JSON and compare the kid from this public key with the kid from the ID token passed by the user, in the authorisation header.
The next step is, I check if the token is expired.
If both the checks are passed, I allow the user to call the API.
The problem I am facing is, this lambda authoriser periodically fails.
If I call the first API by passing the ID token it works. If I call the same API again and again it works. But if I call a different API, which uses the same Lambda authoriser, it fails. I get “401 unauthorised” error.
I checked the CloudWatch logs, I can see the Lambda getting called when the lambda authoriser is successful. But I don’t see lambda function getting called, when I get the 401, unauthorised error.
I am not sure, if this issue is related to lambda invocations or is it because I am fetching the Cognito public key for every call.
