AWS API-Gateway Cognito Authorizer not working with a valid Token
A simple API endpoint, with a Cognito User Pool Authorizer, when using the Authorizer Test button ( or using postman/Insomnia ) with a valid token fails ( Screenshot bellow ):
I know the token is valid as I can make a successful call to the Cognito user pool user-info end-point using the same token and get the desired response back.
Also removing the authorizer ( setting it to None ), will return the desired response as well.
I've tried both with and without Bearer ..., I've also tried to change the Authorization Token source to method.request.header.Authorization as I've found in some older Question but immediately after saving, it changes it back to Authorization, while method.response.header.Authorization doesn't seem to work either.
The API was deployed through a CloudFormation stack.
I'm writing a complete guide to this issue as the documentation is lacking and it's not easy to find the right information for such a simple task. but it may take a few days, so till then I'll post a short answer here and once ( hopefully ) I finish the guide I'll update this answer:
My problem was that I was using the access_token, but I had to use the identity_token! The other problem is that none of the OAuth2 tools available ( like Auth modules of Postman and Insomnia ) return or use the identity_token, they don't even show the token! and although it is in the OAuth2 specs, nobody's using it ( except Cognito! ),...
So I made some changes to the Insomnia source-code of the OAuth2 module and used the correct token, then it started working!
I'm going to make a PR to Insomnia and if it went through the feature may become available in next releases, otherwise, I'll make my packaged binary available so peep can use it since otherwise, it's a nightmare to get tokens from AWS!
- AWS Cloudwatch agent config file removed after startup
- AWS lambda SQS does not allow to process 1 message per 1 invocation
- How can I create a TLS/SSL connection to a mongodb instance on AWS with a certificate made by certificate manager? Health check failed
- Cloudfront redirect when signed cookies not present
- AWS Lambda and DynamoDB - updatetItem is not a function
- AWS ElasticBeanstalk EC2 Termination Protection
- Allowing AWS Cognito Users to authentication to JIRA via SAML/SSO (Domain Not found)
- Install pgAgent on AWS RDS for Postgres
- Row was updated or deleted by another transaction (or unsaved-value mapping was incorrect)
- List all parameters in AWS SSM Parameter Store
- AWS push_down_predicate not working with DynamoDb
- localstack AWS S3 javascript error : getaddrinfo ENOTFOUND bucketname.localhost
- AWS ECS agent won't start
- AWS VPC (Virtual Private Cloud), rapidly increasing expenses
- SemaphoreCI OIDC AWS connection
- Can't delete AWS internet Gateway
- How to provide multiple StringNotEquals conditions in AWS policy?
- Not able to get ECS fargate metrics on Datadog
- 502 "Internal Server Error" with API Gateway + Lambda when deploying
- Java Springboot application not able to connect to AWS Elasticache Valkey Cache (Serverless)
- Splitting PDF with PyPDF2 in Lambda function
- "libdbus-glib-1.so.2: cannot open shared object file: No such file or directory"
- Partial credentials found in env, missing: AWS_SECRET_ACCESS_KEY
- Best way to store Firebase admin private key file for AWS lambda
- AWS Elastic Beanstalk and Secret Manager
- Unable to upload data using sagemaker_session.upload_data in s3 bucket that I created, it is getting stored in default s3 bucket
- Parse Aws IoT message in python
- How to temporarily switch profiles for AWS CLI?
- Python Sqlalchemy insert data into AWS Redshift
- Using AWS Bedrock Prompt Management with InvokeCommand