AWS API Gateway - using Access Token with Cognito User Pool authorizer?

Question

I am configuring an app with various frontends (mobile and web apps) and a single API backend, powered by Lambda and accessed via AWS API Gateway.

As I'm planning to use Cognito to authenticate and authorize users, I have set up a Cognito User Pool authorizer on my API Gateway and several API methods.

With an architecture like this, it seems logical that my apps (e.g. an iOS or Vue.js app) are the Client applications from an OAuth perspective, and my API Gateway backend is a Resource Server. Based on this Auth0 forum post it seems clear that I should therefore use an ID token in my client app, and pass an Access Token to authorize my API Gateway resources.

When I hit the Cognito /oauth2/authorize endpoint to get an access code and use that code to hit the /oauth2/token endpoint, I get 3 tokens - an Access Token, an ID Token and a Refresh Token. So far so good, as I should have what I need.

This is where I've run into difficulties - using the test function on the API Gateway Cognito User Pool Authorizer console, I can paste in the ID token and it passes (decoding the token on-screen). But when I paste in the Access Token, I get 401 - unauthorized.

In my Cognito setup, I have enabled Authorization Code Grant flow only, with email and openid scopes (this seems to be the minimum allowed by Cognito as I get an error trying to save without at least these ticked).

Do I need to add some specific scopes to get API Gateway to authorize a request with the Access Code? If so, where are these configured?

Or am I missing something? Will API Gateway only allow an ID token to be used with a Cognito User Pool Authorizer?

Answer 1

If anyone was curious how to accomplish this in CDK, here’s how I managed to create an API that accepts an auth token as part of the Authorization header. There's some good information above on how it works conceptually. As the AWS CDK documentation was inevitably lacking, I figured out the CDK way by looking for constructs that mapped to the concepts mentioned above and iteratively adding the right constructs to the api and user pools.

Create a user pool

const userPool = new cognito.UserPool(this, "****");

Create a resource server and scopes. These scopes will be important later when assigning custom scopes to api methods. Identifier - AWS recommends using the domain name

const apiScope = new cognito.ResourceServerScope({
  scopeName: '**',
  scopeDescription: '**'
});

const userServer = userPool.addResourceServer('**', {
  identifier: props.subdomain,
  scopes: [apiScope]
});

Create a hosted UI domain. Users will log into the Hosted UI to get an auth code to use in the auth code authentication flow and receive id/access tokens.

userPool.addDomain('**', {
  cognitoDomain: {
    domainPrefix: '**',
  },
});

Create the client, configure the desired auth flows, and assign the oauth scopes you want to allow for users.

const userPoolClient = userPool.addClient('**', {
  authFlows: {
    adminUserPassword: true
  },
  supportedIdentityProviders: [
    cognito.UserPoolClientIdentityProvider.COGNITO
  ],
  oAuth: {
    flows: {
      authorizationCodeGrant: true,
      implicitCodeGrant: true
    },
    scopes: [
      cognito.OAuthScope.resourceServer(userServer, apiScope),
      cognito.OAuthScope.OPENID,
      cognito.OAuthScope.COGNITO_ADMIN
    ]
  },
  refreshTokenValidity: Duration.days(10)
});

You can deploy the app at this point and see the scopes in the AWS console under User Pools -> User Pool Name -> App Integration -> App client list -> App client name -> Hosted UI -> Custom Scopes. Scopes are a combination of the resource server id and the scope name.

Create a Cognito user pools authorizer for the user pool

const authorizer = new apigateway.CognitoUserPoolsAuthorizer(this, '**', {
  cognitoUserPools: [userPool]
});

Add authorizer to the appropriate method of your API. Make sure to add the correct authorization scopes.

const api = new apigateway.RestApi(this, '***', {
  ...options
});
const resource = api.root.addResource('resource');

resource.addMethod('POST', integration, {
  authorizer,
  authorizationScopes: [
    <scope names>
  ]
});

Adding the correct authorization scopes was crucial, and where I got tripped up for a while. This needs to match at least one of the custom resource server scopes created above.

Answer 2

For those looking for an answer and are not using OAuth and are deploying using Serverless framework:

What worked for me to make APGW accept accessToken was to modify my serverless.yml file as follows:

functions:
  my-function:
    handler: path to source file
    events:
      - http:
          path: my-function
          method: post
          cors: true
          authorizer:
            type: COGNITO_USER_POOLS
            scopes:
              - YOUR SCOPE HERE <- THIS IS THE TRICK
            authorizerId:
              Ref: ApiGatewayAuthorizer

The value of the scope can be found by reading the contents of your accessToken (for by pasting the token into https://jwt.io/ debugger).

Answer 3

You can use an access token with the same authorizer that works for the id token, but there is some additional setup to be done in the User Pool and the APIG.

Even when this extra setup is done you cannot use the built-in authorizer test functionality with an access token, only an id token. Typical 80% solution from AWS!

To use an access token you need to set up resource servers in the User Pool under App Integration -> Resource Servers it doesn't matter what you use but I will assume you use <site>.com for the Identifier and you have one scope called api.

No go to the method in APIG and enter the Method Request for the method. Assuming this is already set up with an authorizer tested with the id token, you then add <site>.com/api to the Settings -> OAuth Scopes section.

Just by adding the OAuth Scope it will make sure that the token now has to be an access token and an id token is no longer accepted.

This is detailed here: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-enable-cognito-user-pool.html

Answer 4

Yes, API Gateway will only use idToken to Authorize.

After user enters correct credentials, Access Code is provided by Identity provider authorizing that the user entered correct credential and this access code is used by client just to get you idToken and refreshToken from /oauth2/token endpoint for that given user. All your further calls would only use idToken in Authorization header.

Even that access code expires after you retrieve you user tokens.