I am using API Gateway and an Authorizer to control access to a folder in an S3 bucket. The Authorizer is configured to use a Cognito User Pool. This user pool has the OAuth Scopes phone
and email
associated with it and also a custom scope which I intend to grant read access to the S3 bucket.
I am finding however that the Authorizer will only accept the ID token to grant access and returns unauthorized if I pass the access token. According to the Amazon docs it should be possible to use an access token.
I have followed the direction given here when requesting an access token so for example I set up the auth
variable like so:
var authData = {
ClientId : '<removed>',
AppWebDomain : '<removed',
TokenScopesArray : ['openid','email', 'domain.com/content/content.read'],
RedirectUriSignIn : '<removed>',
RedirectUriSignOut : '<removed'
}
I had assumed that an access token would be all that I required and that was its purpose but I cannot get it to work.
If you want to use API Gateway with an access token you have to jump through a few extra hoops.
For full details take a look at "Integrate an API with a User Pool", especially the section on configuring a COGNITO_USER_POOLS authorizer on methods.
Specifically, from the Method Request's Settings > Authorization:
Choose the pencil icon next to OAuth Scopes.
Type one or more full names of a scope that has been configured when the Amazon Cognito user pool was created. For example, following the example given in Create an Amazon Cognito User Pool, one of the scopes is com.hamuta.movies/drama.view. Use a single space to separate multiple scopes.
To save the setting, choose the check mark icon.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With