API Gateway Cognito Authorizer not authorizing Access Token but will authorize Id Token: 401 Unauthorized

Question

I have created a Cognito User Pool and configured it with an API Gateway. When I test the authorizer with my ID Token it is able to authorize, but I need to authorize an access token and check for a specific scope: aws.cognito.signin.user.admin

From my understanding (which may be wrong) if I set OAuth scopes then the authorizer will read the token as an access token rather than an id token.

I have a Method on my API with the following Authorization settings:

I have checked my JWT of the access token and confirmed it includes:

"token_use": "access"

"scope": "aws.cognito.signin.user.admin openid profile email"

When I hit the endpoint I get a 401 message: Unauthorized

I've been digging through the AWS Docs and stackoverflow for a couple of days now, and can't figure out this last piece of the authorization, any help for things to check would be greatly appreciated. Since it's my first time using this tech I'm sure I'm just missing some simple configuration.

Answer 1

Solution: Your API methods - do not have OAuth scopes. Add an OAuth scope if you want to use the access token instead of an id token.

From the documents

With the COGNITO_USER_POOLS authorizer, if the OAuth Scopes option isn't specified, API Gateway treats the supplied token as an identity token and verifies the claimed identity against the one from the user pool. Otherwise, API Gateway treats the supplied token as an access token and verifies the access scopes that are claimed in the token against the authorization scopes declared on the method.

The Amazon docs at (https://aws.amazon.com/premiumsupport/knowledge-center/cognito-custom-scopes-api-gateway/) are incorrect - the curl command does not include the Bearer prefix for the Authorization header. It also does not clarify that you MUST add OAuth scopes in your API methods.