Consider a restapi backend consisting of AWS-ApiGateway and -Lambda.
After successful oauth2 authentication, AWS Cognito returns both an access_token and an id_token to the client in the code authorization grant flow.
During api calls, the lambda function needs to know the email address of the authenticated client, so I basically have 2 choices:
- Send the id_token in the
Authorization
header which is validated by the ApiGateway and passed to the Lambda. Let Lambda decrypt the id_token and access the email address contained in it. - Send the access_token in the
Authorization
header which is validated by the ApiGateway withscope=openid email
and passed to the Lambda. Let Lambda make aGET
call to the/oauth2/userinfo
endpoint with the access_token in theAuthorization
header to obtain email address.
Which of both is best practice? Why?