6

A simple API endpoint, with a Cognito User Pool Authorizer, when using the Authorizer Test button ( or using postman/Insomnia ) with a valid token fails ( Screenshot bellow ):

enter image description here

I know the token is valid as I can make a successful call to the Cognito user pool user-info end-point using the same token and get the desired response back. Also removing the authorizer ( setting it to None ), will return the desired response as well. I've tried both with and without Bearer ..., I've also tried to change the Authorization Token source to method.request.header.Authorization as I've found in some older Question but immediately after saving, it changes it back to Authorization, while method.response.header.Authorization doesn't seem to work either. The API was deployed through a CloudFormation stack.

mim
  • 1,301
  • 14
  • 24
  • 1
    #NeverMind! found the solution! and #GOSH the reason: BAD DOCUMENTATION! AWS! No matter how awesome your APIs are if your docs suck it's a waste! like my whole day that is wasted to figure this out! – mim Mar 29 '19 at 23:30
  • 2
    You should answer your own question so others who run into the same problem can get the solution. – Ninad Gaikwad Mar 30 '19 at 01:57
  • 1
    @NinadGaikwad, sorry I should have mentioned, I'm writing a documentation that explains how to solve the problem and would link it here once ready (+ a TLDR!). – mim Mar 30 '19 at 04:47

4 Answers4

8

I'm writing a complete guide to this issue as the documentation is lacking and it's not easy to find the right information for such a simple task. but it may take a few days, so till then I'll post a short answer here and once ( hopefully ) I finish the guide I'll update this answer:

My problem was that I was using the access_token, but I had to use the identity_token! The other problem is that none of the OAuth2 tools available ( like Auth modules of Postman and Insomnia ) return or use the identity_token, they don't even show the token! and although it is in the OAuth2 specs, nobody's using it ( except Cognito! ),...

So I made some changes to the Insomnia source-code of the OAuth2 module and used the correct token, then it started working!

I'm going to make a PR to Insomnia and if it went through the feature may become available in next releases, otherwise, I'll make my packaged binary available so peep can use it since otherwise, it's a nightmare to get tokens from AWS!

mim
  • 1,301
  • 14
  • 24
  • identity_token is not in OAuth2 spec, it is in the OpenID Connect (OIDC) spec, so if those providers are not OIDC providers, then they will not return an id_token. – LLL May 19 '19 at 07:28
  • @LLL OIDC is built on top of OAuth2, for the most part, they are very similar, To solve the above issue for everyone who may be using Insomnia to make queries to OIDC protected endpoints I'm making a PR to the OAuth2 module in the Insomnia project ( hopefully this week ) so it let the user chose which token to use – mim May 22 '19 at 17:14
  • 2
    Thanks for this answer, I was struggling with the same issue – Samy Jun 19 '19 at 15:44
2

If your API methods - do not have OAuth scopes: must use ID tokens. If your API methods - have OAuth scopes: must use access tokens.

The test method always uses an id-token. So to use this in Postman - add an OAuth scope to your API methods.

From: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-enable-cognito-user-pool.html

With the COGNITO_USER_POOLS authorizer, if the OAuth Scopes option isn't specified, API Gateway treats the supplied token as an identity token and verifies the claimed identity against the one from the user pool. Otherwise, API Gateway treats the supplied token as an access token and verifies the access scopes that are claimed in the token against the authorization scopes declared on the method.

DVM
  • 102
  • 1
  • 3
1

Strange but I thought I have a similar issue, but I was aware of that in the response there are two tokens and I was trying both and none of them was working.

After reading so many things around the internet, nothing was working.

I went to the ApiGateway user interface, clicked on the authorizer, then edit and I hit save. AND VOILA, it works. Strange, maybe it will help someone else too.

Duba
  • 78
  • 7
0

I had the same issue and I tried both id_token and access_token as well but didn't work.

Also tried to redeploy my stack, but didn't work.

I'm using AWS CDK to deploy my stack.

My solution was to go to the user interface, click on the authorizer -> edit -> save without changes. Then I ran the "test" and it worked.

Don't forget to deploy it. I forgot it and spent hours debugging why it is working in the test method, but not working using Postman.

Duba
  • 78
  • 7