4

I've been able to obtain Access Token for my Aws Cognito user (using this). But I can not figure out how generate an authenticated request with it for an Api Gateway with Cognito authorizer. Can someone please share a sample snippet?

KiteCoder
  • 2,364
  • 1
  • 13
  • 29
amit
  • 2,171
  • 4
  • 31
  • 50
  • As answered by bwinant, it's enough to add your access token in the Authentication header of request. From your question I suppose that you have configured Cognito User Pool to generate access token. Is it correct? I don't understand if you have already configured API Gateway or if it's part of the question. – Nypar Aug 08 '18 at 15:23
  • 1
    I've already configure it. i get to token. but attempting to send it in the header does not works for me. hence i was hoping to some example code how to put it in the header. maybe i'm doing it wrong.. – amit Aug 08 '18 at 17:01

3 Answers3

2

The problem should be in API Gateway and Cognito User Pool configuration. You could use id token instead of access token in header request and it should work if API Gateway and Cognito User Pool have a basic configuration.

If you prefer to use access token, you must check some details in configuration of API Gateway and Cognito User Pool: there shall be a Resource Server in Cognito and at the same time there shall be defined OAuth Scopes in Method Request of API Gateway coherently to Resource server. You can find a good explanation about this configuration in this question: AWS API Gateway - using Access Token with Cognito User Pool authorizer?

I suggest you this last way and to use access token.

About the request header, it's enough to put 'Authorization': YOUR_ACCESS_TOKEN. Check to have added 'Authorizarion' in Token Source when you have created the Authorizer in API Gateway.

Nypar
  • 81
  • 1
  • 4
1

Put the access or id token obtained from the Cognito user pool in the Authentication header when making an API Gateway request

Brian Winant
  • 2,915
  • 15
  • 17
0

My answer assumes that you have Cognito Authorizer, not Lambda Authorizer. When you create the Cognito Authorizer, you give the name of the authorization token in the Token Source field. For example, auth_token.

To call the API resource to which the authorizer is screwed, you need the IdToken of the user who is currently logged in.

With the help of lambda functions, you can organize user login with obtaining IdToken, AccessToken, and RefreshToken. IdToken and AccessToken don't live long. You can make a lambda function that sends a RefreshToken to the User Pool and gets back the fresh IdToken in response. Read more about all this stuff here.

So, you have a fresh IdToken, as well as the name of the token that the Cognito authorizer requires. In my example, it is auth_token.

import requests 
import json

CustomHeader = {'auth_token': "very-long-id-token"} 
r = requests.post(
    "https://xxx.execute-api.us-east-1.amazonaws.com/beta/user/function-for-auth-users-only",
    data=json.dumps({"whatever_you_need": "your_value"}),
    headers=CustomHeader) 
print(r.json())
Serhii Kushchenko
  • 703
  • 6
  • 14