Reputation: 687
AWS Cognito as an Open Id Authorizer for AWS AppSync
I need to use an AWS Cognito User Pool with the client_credentials OAuth Flow on a different AWS Account to be an authorization provider for an AWS AppSync App on a different AWS Account.
I added the Amazon Cognito Domain (test example below) to the Authorization Providers on AppSync
I was able to get a valid access token. However, when I used that token to make a request on AppSync I get the following error:
{
"errors": [
{
"errorType": "UnauthorizedException",
"message": "Valid authorization header not provided."
}
]
}
Is it possible to use the Amazon Cognito Domain as the OIDC Issurer URL on AppSync in a different account? Or am I using the wrong domain?
I know this pretty much works out of the box by using the "Amazon Cognito User Pool" authorizer provider but that only works if Cognito and AppSync is on the same account. I also got AuthO OIDC with client_credentials to work per this doc but would like to use cognito on a different account if possible.
Upvotes: 1
Views: 778
Answers (1)
Reputation: 3885
The issuer URL should look like this:
https://cognito-idp.<aws-region>.amazonaws.com/<userpool-id>
Source: https://github.com/awslabs/aws-support-tools/tree/master/Cognito/decode-verify-jwt
Upvotes: 4
Related Questions
- Can I use AWS cognito to provide a open id connect endpoint?
- Appsync Authorization for Non Signed In Users
- Appsync oidc with auth0 as authorisation returns unauthorised
- How do you create a Cognito user and get their accountId or cognitoIdentityId?
- How do I make an AWS AppSync GraphQL API publicly accessible while using Amazon Cognito for authentication?
- How allow unathenticated users (guess) to access to aws appsync?
- How to connect to AWS AppSync using Cognito Identity Pools and Amplify
- Reference existing setup of AppSync and Cognito Auth
- Is it safe to use cognitoIdentityId as a public userId?
- AWS AppSync IAM Authorization with Cognito Federated Identities