Question:
I’m providing an external-facing REST GET API service in a kubernetes pod on AWS EKS. I had configured an ALB Ingress for this service which enforces Cognito user pool authentication. Cognito is configured with Authorization code grant with the openid OAuth scope enabled.
If I invoke my REST API from the browser, I get redirected to the Cognito login page. After a sucessful authentication on the form here, I can access my REST GET API just fine. This works, but this is not what I’d like to achieve.
Instead of this, I would need to use a Bearer token, after getting successfully authenticated. So first I invoke https://cognito-idp.ap-southeast-1.amazonaws.com using Postman with the request:
|
1 2 3 4 5 6 7 8 9 |
"AuthParameters" : { "USERNAME" : " "PASSWORD" : " "SECRET_HASH" : " }, "AuthFlow" : "USER_PASSWORD_AUTH", "ClientId" : " } |
and I get a successful response like:
|
1 2 3 4 5 6 7 8 9 10 |
"AuthenticationResult": { "AccessToken": "...", "ExpiresIn": 3600, "IdToken": "...", "RefreshToken": "...", "TokenType": "Bearer" }, "ChallengeParameters": {} } |
In the last step I’m trying to invoke my REST API service passing the Authorization HTTP header with the value Bearer <AccessToken> but I still get a HTML response with the login page.
How can I configure Cognito to accept my Bearer token for this call as an authenticated identity?
Answer:
Quoting AWS support on this topic: “the Bearer token can not be used instead of the session cookie because in a flow involving bearer token would lead to generating the session cookie”.
So unfortunately this usecase is not possible to implemented as of today.