0

The doc here says, you can connect with AWS API gateway with either the access token or the idToken issued by the cognito.

I am using amazon-cognito-identity-js for one of my Angular project. Once I login, I receive three tokens viz. accessToken, idToken and refreshToken which the sdk stores to the local storage.

Using the idToken as the Authorization header in the subsequent call successfully provides me data from the API gateway integration method, while if I use accessToken I receive a 401-Unauthorised and the response header says: x-amzn-errortype: UnauthorizedException

Can the access token not be used for the above purpose. I am fine with using idToken, except that there are known issues in invalidating the idToken even after cognito.user.signOut or even globalSignOut as explained here.

Can someone suggest why the access token might not be working.

Saurabh Tiwari
  • 4,632
  • 9
  • 42
  • 82

1 Answers1

1

You can use the access token against an API endpoint if you are validating any custom scopes. In other words, if you haven't defined any custom scopes for your app client, you will use id token to call the API endpoint. otherwise, you can use an access token to validate any custom scopes.

Hope this helps.

Reference:

https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-access-token

Arun Kamalanathan
  • 8,107
  • 4
  • 23
  • 39
  • Thanks for the link. Now, I have around 100 of methods configured on the gateway. Do I have to scope each one of them seperately. – Saurabh Tiwari Jan 21 '20 at 05:30
  • unfortunately yes, if you don't want to scope out each API method, alternatively you can write a lambda function to be used as a custom authorizer and validate the JWT token scopes inside the lambda function. if you find a better way let me know as well ;) I also have few hundred API methods. – Arun Kamalanathan Jan 21 '20 at 05:38