Reputation: 118
How to use cognito id token as authorization header for API gateway?
I have an API http gateway (at say https://example.com) integrated with an API REST gateway which uses a Cognito authorizer. All of this to serve a single-page React application. The behaviour is as expected:
- I launch the Cognito hosted UI and sign in,
- It redirects to the url https://example.com/#id_token=123
- If I use PostMan, I can access that url if I pass that id_token in the Authorization header.
Now my question is: how can I pass the header automatically after signing in so I can visit https://example.com?
I have spent a long time on this and have found many similar posts without an answer:
- How to use the code returned from Cognito to get AWS credentials?
- How can I link cognito token and API authentication header automatically?
- AWS Cognito hosted UI returning id_token in URL
- How can I make the redirect_uri of AWS Cognito (Hosted UI) authenticated?
- Set Authorization header when redirecting client from Cognito to AWS API Gateway
- How do I handle a Cognito auth redirect for a Lambda / API Gateway for UI?
Upvotes: 1
Views: 3764
Answers (1)
Reputation: 4467
We faced the same question a couple of years ago. Our solution was creating a proxy (using API Gateway and Lambda) that "moved" the id_token (stored in a cookie) to the Authorization header for every request to the server. It was ugly, but it worked.
BTW, getting id_token in the URL is how Implicit Grant works. But Implicit Grant is generally considered less secure than Authorization Code Grant. We have since migrated from Implicit Grant to Authorization Code Grant. However, we continue to use the proxy pattern (again using API Gateway and Lambda) as follows.
- Exchange the returned
codeforaccess_tokenandid_tokenat the Cognito user pool's token endpoint. Store the tokens in a DynamoDB table withsession_cookieas the partition key. Return thesession_cookieas a cookie (withHttpOnly,SecureandSameSite=Strict) to the browser. - For each request from the browser, use the cookie to find the token in the DynamoDB table and put the token in the
Authorizationheader.
Upvotes: 0
Related Questions
- API Gateway Cognito Authorizer not authorizing Access Token but will authorize Id Token: 401 Unauthorized
- AWS API Gateway Authorizer using Cognito Identity Pool
- How to pass cognito authentication token in the headers through api gateway to a lambda function
- How can I authenticate my api gateway with cognito?
- How to generate access token for an AWS Cognito user?
- How can I pass a Cognito Principal Id to Integration Request Header with AWS API Gateway?
- access AWS API gateway using access token from identityserver
- How to pass Cognito token to Amazon API Gateway?
- Authorizing AWS API Gateway requests from token in query string
- How to call AWS API Gateway Endpoint with Cognito Id (+configuration)?