Set User Pool 'App Client Id' as audience for HTTP API AWS YAML - token does not have a valid audience

Question

How do you resolve token does not have a valid audience by adding the correct audience to the aws authorizers?

The following snippet from the yaml config will return token does not have a valid audience once I use the Authorization header with a valid JWT

Auth:
  DefaultAuthorizer: JwtAuthentication
  Authorizers:
    JwtAuthentication:
      IdentitySource: $request.header.Authorization
      JwtConfiguration:
        audience:
          - my-audience
        issuer: !Sub https://cognito-idp.${AWS::Region}.amazonaws.com/${OperationsUserPool}

score 0 · Answer 1 · answered Apr 28 '20 at 15:16

Once I decoded the JWT generated from my lambda

const login = await cognitoidentityserviceprovider
        .adminInitiateAuth(params)
        .promise();

I noticed that the audience was the App Client Id but wasn't sure how to obtain that audience so it turns out it's the Ref for your AWS::Cognito::UserPoolClient

You can find more info here https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-allowedoauthflowsuserpoolclient

Auth:
  DefaultAuthorizer: JwtAuthentication
  Authorizers:
    JwtAuthentication:
      IdentitySource: $request.header.Authorization
      JwtConfiguration:
        audience:
          - !Ref OperationsUserPoolClient
        issuer: !Sub https://cognito-idp.${AWS::Region}.amazonaws.com/${OperationsUserPool}

Hope this helps someone!

Set User Pool 'App Client Id' as audience for HTTP API AWS YAML - token does not have a valid audience

1 Answers1