1

I have an API http gateway (at say https://example.com) integrated with an API REST gateway which uses a Cognito authorizer. All of this to serve a single-page React application. The behaviour is as expected:

  • I launch the Cognito hosted UI and sign in,
  • It redirects to the url https://example.com/#id_token=123
  • If I use PostMan, I can access that url if I pass that id_token in the Authorization header.

Now my question is: how can I pass the header automatically after signing in so I can visit https://example.com?

I have spent a long time on this and have found many similar posts without an answer:

mrm
  • 108
  • 2
  • 8

1 Answers1

0

We faced the same question a couple of years ago. Our solution was creating a proxy (using API Gateway and Lambda) that "moved" the id_token (stored in a cookie) to the Authorization header for every request to the server. It was ugly, but it worked.

BTW, getting id_token in the URL is how Implicit Grant works. But Implicit Grant is generally considered less secure than Authorization Code Grant. We have since migrated from Implicit Grant to Authorization Code Grant. However, we continue to use the proxy pattern (again using API Gateway and Lambda) as follows.

  1. Exchange the returned code for access_token and id_token at the Cognito user pool's token endpoint. Store the tokens in a DynamoDB table with session_cookie as the partition key. Return the session_cookie as a cookie (with HttpOnly, Secure and SameSite=Strict) to the browser.
  2. For each request from the browser, use the cookie to find the token in the DynamoDB table and put the token in the Authorization header.
Big Pumpkin
  • 3,907
  • 1
  • 27
  • 18