A simple API endpoint, with a Cognito User Pool Authorizer, when using the Authorizer Test button ( or using postman/Insomnia ) with a valid token fails ( Screenshot bellow ):
I know the token is valid as I can make a successful call to the Cognito user pool
user-info end-point using the same token and get the desired response back.
Also removing the authorizer ( setting it to
None ), will return the desired response as well.
I’ve tried both with and without
Bearer ..., I’ve also tried to change the
Authorization Token source to
method.request.header.Authorization as I’ve found in some older Question but immediately after saving, it changes it back to
method.response.header.Authorization doesn’t seem to work either.
The API was deployed through a CloudFormation stack.
I’m writing a complete guide to this issue as the documentation is lacking and it’s not easy to find the right information for such a simple task. but it may take a few days, so till then I’ll post a short answer here and once ( hopefully ) I finish the guide I’ll update this answer:
My problem was that I was using the
access_token, but I had to use the
identity_token! The other problem is that none of the OAuth2 tools available ( like Auth modules of Postman and Insomnia ) return or use the
identity_token, they don’t even show the token! and although it is in the OAuth2 specs, nobody’s using it ( except Cognito! ),…
So I made some changes to the Insomnia source-code of the OAuth2 module and used the correct token, then it started working!
I’m going to make a PR to Insomnia and if it went through the feature may become available in next releases, otherwise, I’ll make my packaged binary available so peep can use it since otherwise, it’s a nightmare to get tokens from AWS!