Reputation: 1
Api gateway Cognito User Groups
I need help! I am trying manager access of api gateway by cognito.
- I create an api gateway, auth by cognito
- In cognito, I create an group with deny access to api method
- I authenticated by cognito, and return group in idToken
PROBLEM: I still can access this api, why? How Cognito auth work in api gateway?
Upvotes: 0
Views: 1152
Answers (1)
Reputation: 452
up until dec-2017 cognito user pools authorization method was actually performing authentication and not authorization. There were no granular entitlements available and any authenticated user (presenting identity token) could invoke an endpoint resource protected with cognito user pool. For actual authorization (granular entitlements) you had to use either IAM or custom authorizers.
As per this announcement Cognito can now also pass access tokens with oauth 2 scopes. I personally haven't tried this one yet but I believe this should solve your question.
Upvotes: 1
Related Questions
- AWS API Gateway: Authorize Cognito user groups
- Authenticate users in AWS Api Gateway with Cognito
- Amazon API Gateway authorization AWS_IAM
- How to access the AWS APIGateway based on the cognito user pool group roles
- AWS Cognito and AWS Api Gateway authorizations of users application
- AWS API Gateway: API available for authenticated and guest users only
- AWS Cognito Groups and AWS Api Gateway
- AWS Cognito and API Gateway Authentication
- Cognito Groups with IAM Permissions
- AWS API Gateway - get Cognito user groups to custom authorizer