CODEWITHSUNDEEP
oauth-2.0boto3amazon-cognito
pb123
pb123

Reputation: 91

AWS Cognito - using scopes in authorizing access to api gateway

I have setup a Cognito user pool so that I can use it to authorize access the an api gateway. It uses OAUTH2 and the flow im using is : Authorization Code Grant, Scopes : email, openid and profile, Allowed Custom Scope : product-api/read_product, product-api/create_product, product-api/delete_product

I use boto3 admin_initiate_auth command to connect to the user pool:-

response = idpclient.admin_initiate_auth(
UserPoolId=USERPOOLID,
AuthFlow='ADMIN_NO_SRP_AUTH',
AuthParameters={
'USERNAME':USERNAME,
'PASSWORD':PASSWORD,
'SECRET_HASH':SECRET_HASH
},
ClientId=APPCLIENTID
)

and the response I receive is a json object with several fields, which include access_token, refresh_token etc...

but when I use the access_token to access the api gateway, i get a 401 error. Unauthorised. Looking into the access_token it looks like the custom scopes have not been added.

Could you advise why the custom scope has not been added to the access_token and how do i get the custom scopes added ?

the api gateway has a lambda authorizer added.

Upvotes: 4

Views: 13712

Answers (1)

Gary Archer
Gary Archer

Reputation: 29283

Usually you have to specify the Scopes in 2 places:

  • The OAuth client entry for the client application in the Cognito section of the AWS console

  • The code requesting a token - I have always implemented this in a standards based manner whereas you are using an AWS specific solution

Looks like what you want may not be supported via admin_initiate_oauth: Include user details in AWS Cognito Oauth2 token

If your client application is a web UI then the standards based solution will do what you want.

I've tested my Cognito single page app sample with custom scopes - you can run it here: https://authguidance.com/home/code-samples-quickstart

Not sure if this type of solution will work for you though ..

Upvotes: 2

Related Questions