Use Cognito authorizer just as a JWT translator

Question

If the token is invalid, I don't want the request to fail with 'Unauthorized'. Instead, I still want to get the request within my lambda, albeit with no claims data, and from there, decide what to do onwards.

This means that I want the Cognito Authorizer to act just as a translator of the JWT token, when it's available and valid.

Answer 1

You can not use API Gateway's built-in Cognito Userpool authorizer this way. It will always return Unauthorized on invalid credentials. For your use, case you would have to use the Custom Authorizer. You can always return an Allow policy and return some claims data only on valid token (using Enhanced context).

I must say, authorizers are not designed for this. Seems like you just want the claims data in your backend and use them if they are valid & ignore them if the token is invalid. If so, you do not need to use Authorizers for this. You can pass the token to backend directly & there write a code (same as Custom Authorizer's code snippet) to chech the validity of JWT & extract valid claims. There are multiple third-party libraries which can make this process easy & this token verification (& claims extraction) can be done using just a few lines of code.

EDIT

To verify the token, you need to:

• Get the public key used to sign the token. For Cognito Userpool tokens, this can be retrieved from the JWK URL (jwks_uri parameter) in its OIDC discovery document which would be located at (assuming userpool id is us-east-1_xxxxxxxxx and region is us-east-1):
  • https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxxx/.well-known/openid-configuration
  • The token's public key URL (JWK URI) would be at https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxx/.well-known/jwks.json . The whole payload, a JSON object is a JWK.
• Convert the JWK to PEM format & verify the token.

Here is an AWS blog with the code you want: https://aws.amazon.com/blogs/mobile/integrating-amazon-cognito-user-pools-with-api-gateway/