AWS Api Gateway Authorizer + Cognito User Pool Not Working {"message": "Unauthorized"}

Question

I am trying to use aws api gateway authorizer with cognito user pool. It is working fine when i test using aws api gateway console.

But when i try enabling the authorization in the api it says "message": "Unauthorized". Please check below screenshot

API Gateway Console Screenshot - This works fine

Postman Screen shot - Not working

Can someone help please.

FYI I have followed the instructions as mentioned here http://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html

Answer 1

In my case, authorization code should be id_token. I made a mistake for using access_token instead

Answer 2

The below steps fixes the problem for me. In short, there seems to be a bug in AWS API Gateway. You can fix it by re-deploy the API:

1. Change the Request Validator from NONE to Validate Body
2. Actions -> Deploy the API -> choose the stage you want to deploy it to.
3. Change the Request Validator from Validate Body to NONE
4. Redo step 2.

Answer 3

I tried Mathias' solution out and it didn't work at first. Oddly, I can back to it hours later and tried again, and this time made some other changes to my API gateway before deploying the API. This time it worked, even though the other changes that I made were superficial.

Also, as is so often the case, the AWS docs are wrong, stating that you should use method.response.header.Authorization. This is really only valid for Lambdas using custom auth. You should indeed use just Authorization here when you are using the new Cognito User Pool Authorizer.

1. Use Authorization not method.response.header.Authorization
2. Make a superficial change to your resource in API Gateway
3. Deploy your API and wait a second

-- edit --

I was just converting my stack to Cloudformation and found out that if you are using Cloudformation to deploy the Authorizer, you do in fact need to specify the full method.response.header.Authorization for the token source. In fact, a stack deploy will fail if you don't use that format. However, once deployed, if you look at the Authorizer in the console, it will have dropped the method.response.header part.

Answer 4

I had the same issue like you and realized that I entered a wrong Token Source.

Enter in <your API> -> Authorizers -> Token Source the name of the HTTP header where the API gateway has to look for the token. (in your case Authorization)

Save it and don't forget to deploy before you test it out.

Answer 5

I had the same issues, the solution was just to redeploy the project.

Answer 6

Try below 3 steps (do not forget to deploy API) and try to send a request with POST man

1. Cache

2. Settings of Method Request

1. Deploy API

Answer 7

If you are not checking scope at OAuth Scopes in method execution block of API gateway it will only take id-token.

Once you will have set OAuth scope restriction on request it will start taking access token automatically.

Answer 8

Credit to Srce Cde channel on YouTube, https://www.youtube.com/watch?v=f8rbpHf9SiA, adding 'openid' as OAuth scope on the endpoint settings makes access_token usable.

Bear in mind this will make id_token unusable. For those looking for the difference between id_token and access_token, here's the link: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html

Answer 9

Changing the Token Source in the Authorizer to something other than Authorization (eg: authorization) then deploying the API and giving that in Postman's headers worked for me. No matter what we call the header, it will be translated and used by API gateway I guess.

Answer 10

In my case, I thought that I needed to prepend the ID token in the authorization header with 'Bearer', after having looked at example documentation coming from Amplify. Removing 'Bearer' resolved my issue (and indeed the check for the token shape.) Also, check your CORS configuration!