AWS: Cognito integration with a beta HTTP API in API Gateway?

Question

Amazon Web Services introduced a beta release of HTTP API as a new product on API Gateway early last month. Its authentication is managed using JSON Web Tokens and configured with a form asking for

1. "Name of the Authorizer"
2. "Identity Source... a selection expression that defines the source of the token"
3. "Issuer URL"

I'm not very familiar with authentication protocols at all or what these form fields are asking, and currently the documentation from AWS on how to configure this to work with Cognito is sparse. I'm not totally comfortable configuring this without guidance due to my lack of experience. Another Stack Overflow user seemed to have a similar issue but didn't get an answer.

Answer 1

AWS is using JWT Bearer Grant for this purpose. Draft Specification here.

It allows HTTP API Gateway to accept JWT Tokens in the incoming Authorization HTTP header containing a self-contained JWT access token issued by third-party authorization servers (like Cognito, Azure AD, etc).

API Gateway validates the incoming JWT Token by matching the 'iss' value with the issuer URL to see if it can trust this token.

Try with these values.

• Name of the authorizer: Registered client name in your Cognito User Pool .
• Identity Source: Leave it as default, $request.header.Authorization .
• Issuer URL: Check the metadata URL of your Cognito User Pool (construct the URL in this format :: https://cognito-idp.[region].amazonaws.com/[userPoolId]/.well-known/openid-configuration :: look for a claim named "issuer". Copy its Value and paste it here.
• Audience: Client ID of your Registered client in Cognito

Good Luck!

cheers,
ram