0

I am using Amazon Cognito, API Gateway and Elastic Beanstalk (ELB) to create a micro services application.

The flow is the following:

  1. I sign-in in my cognito UI
  2. Cognito redirects me to my API Gateway URL. (There are id_token and access_token hash parameters in addition to the redirection URL: https://<redirection_url>#id_token=<id_token>&access_token=<access_token>)
  3. The API Gateway checks for an Authorization header, and if the Bearer token that corresponds is approved, I am re-directed to the right URL.

My problem: I don't have any logic that can retrieve the access token and the id token from the hash parameters, and set that in my Authorization header. As a consequence, I always have a 401 error "Unauthorized" in the step 3. How can I fix it?

nolwww
  • 1,355
  • 1
  • 15
  • 33
  • Implicit flow won't work without a frontend as the hash fragment is never submitted to the server. What are you trying to accomplish exactly? – Andrew Gillis May 02 '21 at 20:02
  • Ok, I just wanted to be sure there was not a cognito feature to set the token differently than with hash parameters ... – nolwww May 02 '21 at 20:16
  • So, you confirm having a front end is the only way to retrieve the token between cognito and the Gateway ? – nolwww May 02 '21 at 20:16
  • No you should still be able to use authorization code grant – Andrew Gillis May 02 '21 at 20:17
  • [worth a read](https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/) – Andrew Gillis May 02 '21 at 20:24
  • Thanks for your help, the article is very clear. If I choose to use the authorization code grant, I still need to implement a backend logic such as https://stackoverflow.com/questions/62198963/is-this-possible-to-use-cognitos-authorization-code-grant-type-as-a-authorizer , to retrieve the final token, right ? – nolwww May 03 '21 at 05:58
  • Yeah. But you should know that this is quite unusual. Normally when you secure an API with something like Cognito, it isn't involved with the acquisition of the access token. That is usually left to the clients. – Andrew Gillis May 03 '21 at 12:03

0 Answers0