API Gateway Authorizer Accepts ID_token But Not Access_Token

Question

I am using API Gateway and an Authorizer to control access to a folder in an S3 bucket. The Authorizer is configured to use a Cognito User Pool. This user pool has the OAuth Scopes phone and email associated with it and also a custom scope which I intend to grant read access to the S3 bucket.

I am finding however that the Authorizer will only accept the ID token to grant access and returns unauthorized if I pass the access token. According to the Amazon docs it should be possible to use an access token.

I have followed the direction given here when requesting an access token so for example I set up the auth variable like so:

var authData = {
        ClientId : '<removed>', 
        AppWebDomain : '<removed',
        TokenScopesArray : ['openid','email', 'domain.com/content/content.read'], 
        RedirectUriSignIn : '<removed>',
        RedirectUriSignOut : '<removed'
    }

I had assumed that an access token would be all that I required and that was its purpose but I cannot get it to work.

Answer 1

To make access_token work with GW API:

Cognito user pool OAuth 2.0 Setting are as follows

Use the following settings in Gateway API method execution

Answer 2

If you want to use API Gateway with an access token you have to jump through a few extra hoops.

For full details take a look at "Integrate an API with a User Pool", especially the section on configuring a COGNITO_USER_POOLS authorizer on methods.

Specifically, from the Method Request's Settings > Authorization:

• Choose the pencil icon next to OAuth Scopes.

• Type one or more full names of a scope that has been configured when the Amazon Cognito user pool was created. For example, following the example given in Create an Amazon Cognito User Pool, one of the scopes is com.hamuta.movies/drama.view. Use a single space to separate multiple scopes.

• To save the setting, choose the check mark icon.