CODEWITHSUNDEEP
amazon-cognitoserverless-frameworkserverless
Francisco Arias
Francisco Arias

Reputation: 732

adding serverless apis as a resource server AWS cognito AWS api gateway

Hello I'm using serverless apis using aws api gateway lambda proxy, golang, and aws cognito

   events:
      - http:
          path: myendpoint
          method: get
          cors: true
          authorizer:
            name: my-authorizer
            arn: {COGNITO_POOL_ARN}

plugins:
  - serverless-domain-manager

custom:
  customDomain:
    domainName: mydomain.com
    basePath: mybasepath
    stage: ${self:provider.stage}
    createRoute53Record: true

this allows me to make request using the ID token to mydomain.com/mybasepath/myendpoint , I want to make it more standard and use access tokens.

it won't take the access token, API Gateway authorizer would bounce it off.

I added this as Resource Server to the Cognito user pool settings

Resourceserversetup

in the App client settings I check the resource for the app client

enter image description here

I log out create a new session for the user, new tokens and i would get a 401 Unathorized I think I'm following the documentation correctly as it is here maybe I'm missing something else or perhaps because it is a serverless api it is a different set up that i need.

Any help or guidence is fully appreciated.

Upvotes: 1

Views: 1077

Answers (1)

Andrew Gillis
Andrew Gillis

Reputation: 3895

If you just want to secure your api with cognito there is no need to create scopes. Scopes don't grant authorizations to a user, they grant them to applications.

API Gateway Cognito Authorizer operates in basically three modes:

  1. Allow both ID Token or Access Token (No token validation set & no scope set on the resource)
  2. Allow ID Token (Token validation set to the aud claim/application ID & no scope set on the resource)
  3. Allow Access Token (Token validation not set, scope set on the resource)

This is a consequence of the following in each case:

  1. Both ID tokens & Access tokens are signed by Cognito signing keys so the authorizer can't tell them apart.
  2. Only ID tokens contain the aud (audience) claims to perform the token validation against.
  3. Only Access tokens include the scope claims to perform validation against.

Hope that clears things up. Don't get too hung up on scopes unless you know what you are using them for.

Upvotes: 3

Related Questions