AWS API Gateway Authorizer works with Cognito HostedUI but not with access_token from amazon-cognito-identity-js

Question

When I use the Cognito HostedUI, I receive the access_token from URL parameters in callback page and feed it to my API call header as follows:

new HttpHeaders({
    'Content-Type': 'application/json',
    Authorization: access_token // received from callback URL parameters
});

And it works fine. But due to the limitations of HostedUI design, I implemented a custom login/logout logic using this tutorial

Since amazon-cognito-identity-js requires an App Client without a Client Secret, I created a new App Client. So now I have two. (Not sure if it causes any problems)

The simplified partial code looks like the following:

let authenticationDetails = new AuthenticationDetails({
    Username: this.email_address, // user input
    Password: this.password // user input
});
let poolData = {
    UserPoolId: environment.cognitoUserPoolId,
    ClientId: environment.cognitoAppClientId
};
let userPool = new CognitoUserPool(poolData);
let userData = { Username: this.email_address, Pool: userPool };
var cognitoUser = new CognitoUser(userData);
cognitoUser.authenticateUser(authenticationDetails, {
onSuccess: (result: any) => {
    console.log(result);
    const access_token = result.getAccessToken().getJwtToken(); // getting access_token
    if (!access_token) {
    alert('User token is not found. Please sign in again.');
    return;
    }
...

Now this let's me Login and Logout successfully, and I get the user's detailed information. But when I feed this access_token to API Authorization header I always get error 401 Unauthorized error. I even tried using id_token and the refresh_token, nothing works.

All my Cognito, API Gateway, S3, Lambda etc. settings are same as before. So why do I keep getting a 401 error? Maybe I am missing a IAM permission? Any help would be appreciated.

UPDATE:

I noticed the access_token from HostedUI callback has:

"scope": "aws.cognito.signin.user.admin phone openid profile email"

Even though in Cognito AppClient settings I have selected all 5 OpenID Connect scopes, the access_token in amazon-cognito-identity-js response has only:

scope: "aws.cognito.signin.user.admin"

In each API request OAuth Scopes option I have "email". So this seems to be the problem. Should I add "aws.cognito.signin.user.admin" here? Or is there a way to return "email" scope using amazon-cognito-identity-js?

Answer 1

Change the scope in the console, here:

Answer 2

JDK 8

-XX:+PrintGCDetails

The heap layout and usage will be printed at VM exit:

 PSYoungGen      total 443904K, used 283177K [0x00000000dcc00000, 0x00000000f7f00000, 0x0000000100000000)
  eden space 442368K, 63% used [0x00000000dcc00000,0x00000000ee07a6f8,0x00000000f7c00000)
  from space 1536K, 4% used [0x00000000f7d80000,0x00000000f7d90000,0x00000000f7f00000)
  to   space 1536K, 0% used [0x00000000f7c00000,0x00000000f7c00000,0x00000000f7d80000)
 ParOldGen       total 72704K, used 980K [0x0000000096400000, 0x000000009ab00000, 0x00000000dcc00000)
  object space 72704K, 1% used [0x0000000096400000,0x00000000964f5060,0x000000009ab00000)
 Metaspace       used 4568K, capacity 4718K, committed 4992K, reserved 1056768K
  class space    used 472K, capacity 532K, committed 640K, reserved 1048576K

JDK 9+

-Xlog:gc+heap+exit

[9.405s][info][gc,heap,exit]  garbage-first heap   total 276480K, used 149668K [0x0000000700000000, 0x0000000800000000)
[9.405s][info][gc,heap,exit]   region size 1024K, 147 young (150528K), 1 survivors (1024K)
[9.405s][info][gc,heap,exit]  Metaspace       used 6335K, capacity 6395K, committed 6784K, reserved 1056768K
[9.405s][info][gc,heap,exit]   class space    used 511K, capacity 530K, committed 640K, reserved 1048576K

total is the committed memory; the range [0x0000000700000000, 0x0000000800000000) is the reserved space.

If you want to print heap at every GC rather than at VM exit, use -XX:+PrintHeapAtGC in JDK 8, or -Xlog:gc+heap=debug in JDK 9+.