Reputation: 79
AWS API Gateway with Cognito Authorization never blocks requests even with invalid id tokens
I followed this AWS API Gateway doc and set up an authorization for my API with a cognito identity token. I tested my cognito id token in the API Gateway console, that works: It gives me the correct values, the sub and email values are correctly retrievd from the token:
I then added the Authorizor to my Method:
But when I now test my method, still all requests go through (with or without identity token provided) when I send them from the test form in API Gateway (inside the method):
teting with no token or invalid token
I would have expected an "Unauthorized" or "Access Denied" response, instead I get 200. I also tried setting "API Key Required" in Method Request to true and require an Autorization Header, but even then the request from above comes through with status 200:
setting API Key Required to true
I also added
"context" : {
"sub" : "$context.authorizer.claims.sub",
"email" : "$context.authorizer.claims.email"
}
to my mapping template, so the full template now looks like this:
{
"TableName": "myUsersTable",
"Key": {
"id": {"S": "$input.params('id')"},
"username": {"S": "$input.params('id')"}
},
"context" : {
"sub" : "$context.authorizer.claims.sub",
"email" : "$context.authorizer.claims.email"
}
}
but the log is always empty for sub and email (and the response status is still 200):
Tue Dec 29 10:35:46 UTC 2020 : Endpoint request body after transformations: {
"TableName": "myUsersTable",
"Key": {
"id": {"S": "testUser"},
"username": {"S": "testUser"}
},
"context" : {
"sub" : "",
"email" : ""
}
}
What am I doing wrong here?
Upvotes: 2
Views: 624
Answers (1)
Reputation: 2107
For me it never worked when I tested it inside the API Gateway console. But when you use Postman, it should work (set "API Key Required" in Method Request back to false and delete that an Autorization Header is required, then deploy your API again and test it with Postman, putting your token into the request header like this:
Your mapping template for the sub and email values seems correct, too. I think the whole Authorization validation is just skipped when you use the API Gateway console to test, but I'm not sure. Use Postman instead, then it should work.
Upvotes: 2
Related Questions
- API Gateway Cognito Authorizer not authorizing Access Token but will authorize Id Token: 401 Unauthorized
- Getting 401 Unauthorized from AWS Cognito + API Gateway when accessing from Postman or cURL
- AWS API-Gateway Cognito Authorizer not working with a valid Token
- AWS API Gateway Authorizer using Cognito Identity Pool
- AWS Api Gateway Authorizer + Cognito User Pool Not Working {"message": "Unauthorized"}
- API Gateway Authorizer Accepts ID_token But Not Access_Token
- AWS API gateway authorizer: Cognito + IP Whitelisting
- aws cognito && apiGateway returns status 401
- AWS ApiGateway cognito user pool authorization works without required id token
- Authorizing AWS API Gateway requests from token in query string