API gateway Cognito user pool authorizer - 401 unauthorized

Asked 9/6, 2018 at 20:45 Answered 26/1 at 0:7

I was trying to get my API gateway work with Cognito user pools authorizer but I cannot seem to get it to work. I am not using any SDK as of now. Some details - for Cognito pool, I have setup ID provider as cognito user pool, Oauth flow 'impilicit grant' & scope as 'openid'. Created an app (& domain) with client secret also generated. Email is the only field. - on API gateway I added the same user pool for cognito auth & header as 'Authorization'. No scope was added and no token validation.

I use Cognito's default sign-in page to log in & retrieve the 'id_token' (present in URL after sign in) & use that in postman to fire my API to a '401 unauthorized'. I use the same token in the API gateway authorizer test tool & i still get unauthorized. So clearly my token is the problem.

I have already tried various combinations of oauth flows & scopes & api gateway with lambda integration to creating another one with mock integration. Also created different user pools & apps with & without client secret, to same error.

I would have been fine with above not working (believing an error on my part) but the same thing works for a colleague who tried. Only difference is, after log-in, he directed to a localhost page where he captured the same 'id_token' & hit API gateway with that token, successfully.

So I can't figure out what the difference is? Is it not supposed to work the way I am trying?

Some cloudwatch access logs when i hit the API from postman. (also tried curl)

{ "requestId": "bb9ba6a2-6c25-11e8-b024-530b33bce48d", "ip": "x.x.x.x", "caller": "-", "user": "-", "requestTime": "09/Jun/2018:20:43:15 +0000", "httpMethod": "GET", "resourcePath": "/test", "status": "401", "protocol": "HTTP/1.1", "responseLength": "26", "authProvider": "-", "authType": "-", "claimProperty": "-", "property": "-", "principalId": "-" }

Thanks. Any help is appreciated.

Afroasiatic answered 9/6, 2018 at 20:45 Comment(0)

Turned out to be a really idiotic mistake of copying the access_token as well. With the right id_token it worked. Took me 2 days to figure it out!!!

Afroasiatic answered 11/6, 2018 at 17:51 Comment(7)

I am having the same experience. Is it okay to use the id_token instead of the access_token? – Disparage 21/11, 2019 at 2:27

id_token may contain some user info (PII) so is not advised for API access. Other than that I couldn't see any difference between the two. – Afroasiatic 21/11, 2019 at 11:38

You're right It might consist of PII data. Another problem we are encountering right now is that we can not execute commands in our backend api that requires an access token, such as global_sign_out. – Disparage 22/11, 2019 at 1:26

You saved me <3 – Magnanimity 17/4, 2020 at 18:13

I think I'm in a similar situation as yours, but the id_token didn't work for me. I have a cognito user pool, created a Cognito Authorizer in the API GW console with said user pool. I login via the cognito hosted page and grab the value of id_token, then use that value in the Test box in API GW, but still get 401... – Lorikeet 22/4, 2020 at 10:44

update you're the man! I realised I was doing exactly the same mistake you did, i.e. I didn't realise that in copying the value of id_token I was also including &access_token=<access_token>, which of course would give me a 401. – Lorikeet 22/4, 2020 at 12:48

Haha now that I think about it, that id_token did look unusually long!! – Inkblot 3/5, 2020 at 18:13

I'd like to submit another really dumb reason why this was not working - definitely do everything in addition to everything that the accepted answer mentioned:

I was performing my testing and validation on Postman. I added in the Authorization header and passed in my id_token. However, I never ticked the checkbox to actually include the header in my actual request: Hope this might save someone out there from spending hours debugging every possible configuration on API Gateway and Cognito only to realize I was never sending the header in the first place!

Ginkgo answered 10/5, 2020 at 6:6 Comment(0)

I was getting this symptom although my id_token was valid and correctly passed to API Gateway via header authorization

In your API Gateway resource method execution settings API:YourAPI>Resources>GET>Method Request>Settings make sure OAuth Scopes is set to nothing. Mine was set to email for some reason

I hope the 18h of my life spent on this will save you a nice bit too.

Vigen answered 23/12, 2022 at 23:33 Comment(0)

I would also like to confess a dumb reason for which it was not working, to me it was because when setting the Authorizer, I set the Token Source as "Authorizer", however on postman I was using instead "Authorization" .

Reasonless answered 26/1 at 0:7 Comment(0)

Recommended topics

Hot tags