发表新帖
发表新帖

AWS API Gateway - using Access Token with Cognito User Pool authorizer?

前端 未结
关注
3 993
南旧
南旧 2021-02-02 12:49

I am configuring an app with various frontends (mobile and web apps) and a single API backend, powered by Lambda and accessed via AWS API Gateway.

As I\'m planning to us

相关标签:
3条回答
  • 灰色年华
    2021-02-02 13:05

    You can use an access token with the same authorizer that works for the id token, but there is some additional setup to be done in the User Pool and the APIG.

    Even when this extra setup is done you cannot use the built-in authorizer test functionality with an access token, only an id token. Typical 80% solution from AWS!

    To use an access token you need to set up resource servers in the User Pool under App Integration -> Resource Servers it doesn't matter what you use but I will assume you use <site>.com for the Identifier and you have one scope called api.

    No go to the method in APIG and enter the Method Request for the method. Assuming this is already set up with an authorizer tested with the id token, you then add <site>.com/api to the Settings -> OAuth Scopes section.

    Just by adding the OAuth Scope it will make sure that the token now has to be an access token and an id token is no longer accepted.

    This is detailed here: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-enable-cognito-user-pool.html

    0 讨论(0)
  • 太阳男子
    2021-02-02 13:13

    Yes, API Gateway will only use idToken to Authorize.

    After user enters correct credentials, Access Code is provided by Identity provider authorizing that the user entered correct credential and this access code is used by client just to get you idToken and refreshToken from /oauth2/token endpoint for that given user. All your further calls would only use idToken in Authorization header.

    Even that access code expires after you retrieve you user tokens.

    0 讨论(0)
  • 余生分开走
    2021-02-02 13:20

    For those looking for an answer and are not using OAuth and are deploying using Serverless framework:

    What worked for me to make APGW accept accessToken was to modify my serverless.yml file as follows:

    functions:
  my-function:
    handler: path to source file
    events:
      - http:
          path: my-function
          method: post
          cors: true
          authorizer:
            type: COGNITO_USER_POOLS
            scopes:
              - YOUR SCOPE HERE <- THIS IS THE TRICK
            authorizerId:
              Ref: ApiGatewayAuthorizer

    The value of the scope can be found by reading the contents of your accessToken (for by pasting the token into https://jwt.io/ debugger).

    0 讨论(0)
 看不清?
提交回复
热议问题