1

Our mobile application uses unauthenticated cognito flow to authorize devices. We use Oauth authentication for our backend which expects a bearer token. to get this bearer token, instead of saving clientid/secret on the client we are planning to call api gateway for that cognito user pool and then proxy into oauth service provider which would return a bearer token. Client would use this bearer token to make further backend calls.

We tested the http proxy and it is working great from api gateway console. Issue we are running into is with the authorizer. Our authorization mechanism is cognito user pool. So to test the authorizer, console asks for a identity token. We are not sure what identity token is. Tried to test with cognitoId, openToken obtained by aws iOS sdk for unauthenticated cognito user, none of them works. The message from the logs is "Unauthorized request:"

Could someone please suggest a solution?

PGA
  • 11
  • 2

1 Answers1

1

It sounds like what you were looking at were tokens generated from federated identities. Have you set up user pools in your app? When you sign in with a user, you get 3 tokens - the id token, access token, and refresh token. That id token is what you'll need. This necessarily means unauthenticated will be a bit tricky, as you have to sign in to get this.

Jeff Bailey
  • 5,655
  • 1
  • 22
  • 30
  • Thanks Jeff. What do you mean when you say sign in? As it is unauthenticated all we do is something like this: let credentialsProvider = AWSCognitoCredentialsProvider(regionType: , identityPoolId: identityPoolId). The credentialsProvider will have an identityId on it which is nothing but the cognitoId. It as well has a credentials object with key/secret and session token. Also, yes userpools are setup for our application – PGA Nov 11 '16 at 18:55
  • Basically, that you can't use user pools as an authorization mechanism without signing in. Unauthenticated access and user pools are two mutually exclusive things. You have to sign in to user pools to use user pools. – Jeff Bailey Nov 11 '16 at 19:01
  • Makes sense, have to look into on how to do that as it is unauthenticated as of now – PGA Nov 11 '16 at 19:12