AWS Cognito authentication with Bearer token


I’m providing an external-facing REST GET API service in a kubernetes pod on AWS EKS. I had configured an ALB Ingress for this service which enforces Cognito user pool authentication. Cognito is configured with Authorization code grant with the openid OAuth scope enabled.

If I invoke my REST API from the browser, I get redirected to the Cognito login page. After a sucessful authentication on the form here, I can access my REST GET API just fine. This works, but this is not what I’d like to achieve.

Instead of this, I would need to use a Bearer token, after getting successfully authenticated. So first I invoke using Postman with the request:

and I get a successful response like:

In the last step I’m trying to invoke my REST API service passing the Authorization HTTP header with the value Bearer <AccessToken> but I still get a HTML response with the login page.

How can I configure Cognito to accept my Bearer token for this call as an authenticated identity?


Quoting AWS support on this topic: “the Bearer token can not be used instead of the session cookie because in a flow involving bearer token would lead to generating the session cookie”.

So unfortunately this usecase is not possible to implemented as of today.

Leave a Reply