1

Hello I'm using serverless apis using aws api gateway lambda proxy, golang, and aws cognito

   events:
      - http:
          path: myendpoint
          method: get
          cors: true
          authorizer:
            name: my-authorizer
            arn: {COGNITO_POOL_ARN}

plugins:
  - serverless-domain-manager

custom:
  customDomain:
    domainName: mydomain.com
    basePath: mybasepath
    stage: ${self:provider.stage}
    createRoute53Record: true

this allows me to make request using the ID token to mydomain.com/mybasepath/myendpoint , I want to make it more standard and use access tokens.

it won't take the access token, API Gateway authorizer would bounce it off.

I added this as Resource Server to the Cognito user pool settings

Resourceserversetup

in the App client settings I check the resource for the app client

enter image description here

I log out create a new session for the user, new tokens and i would get a 401 Unathorized I think I'm following the documentation correctly as it is here maybe I'm missing something else or perhaps because it is a serverless api it is a different set up that i need.

Any help or guidence is fully appreciated.

Improve this question

1 Answer 1

Reset to default
3

If you just want to secure your api with cognito there is no need to create scopes. Scopes don't grant authorizations to a user, they grant them to applications.

API Gateway Cognito Authorizer operates in basically three modes:

  1. Allow both ID Token or Access Token (No token validation set & no scope set on the resource)
  2. Allow ID Token (Token validation set to the aud claim/application ID & no scope set on the resource)
  3. Allow Access Token (Token validation not set, scope set on the resource)

This is a consequence of the following in each case:

  1. Both ID tokens & Access tokens are signed by Cognito signing keys so the authorizer can't tell them apart.
  2. Only ID tokens contain the aud (audience) claims to perform the token validation against.
  3. Only Access tokens include the scope claims to perform validation against.

Hope that clears things up. Don't get too hung up on scopes unless you know what you are using them for.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks for the answer, when i send an access token in the request the API gateway authorizer declines the request with a 401 access denied. Where would i specify the kind of token the authorizer accepts ? or change the mode it is operating ass ? Thanks in advance,
@FranciscoArias To allow access tokens exclusively make sure you do not have token validation set on your authorizer. Then set the scope on the API resources.
Thanks, yes, that's what i needed to do, I found the documentation docs.aws.amazon.com/apigateway/latest/developerguide/… And if you are using the serverless framework you will need this plugin serverless.com/plugins/serverless-oauth-scopes thank again brothe

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.