Reputation: 652
AWS ApiGateway cognito user pool authorization works without required id token
I am learning to use cognito, Lambda, DynamoDb and ApiGateway and am confused by the following:
i have set up an api gateway authorizer using my cognito user pool. testing it in the Authorizer window using an id token to authorize works. i then set the Authorization of the post method execution to use this authorizer, requiring an HTTP Authorization request header. if i then test the post method in the api gateway console, it works event though i do not input the required Authorization header value (id token)! is this correct? i would have thought that it would fail without the id token! - testing in Postman and from my web app fails as expected if i don't include the id token.
why does it work without the id token in the api gateway console?
Upvotes: 0
Views: 263
Answers (2)
Reputation: 9020
As noted on the AWS Forums test invoke does not test your method's authorization mechanism.
Upvotes: 1
Reputation: 2620
I think the console bypass the authoriser, is to test the lambda method, not the authoriser
Upvotes: 2
Related Questions
- API Gateway Cognito Authorizer not authorizing Access Token but will authorize Id Token: 401 Unauthorized
- API gateway Cognito user pool authorizer - 401 unauthorized
- AWS API-Gateway Cognito Authorizer not working with a valid Token
- AWS API Gateway - using Access Token with Cognito User Pool authorizer?
- AWS API Gateway Authorizer using Cognito Identity Pool
- Cognito user pool does not show up API Gateway after setting authorizer
- AWS Api Gateway Authorizer + Cognito User Pool Not Working {"message": "Unauthorized"}
- AWS API Gateway with Cognito Authorization never blocks requests even with invalid id tokens
- How to use AWS Cognito Userpool token to log into AWS Api gateway?
- Cognito User Pool AuthorizerId cannot be set in API Gateway Cloudformation