API网关Cognito用户池授权者-未经授权的401 [英] API gateway Cognito user pool authorizer - 401 unauthorized

问题描述

我试图让Cognito用户池授权者使用我的API网关，但是我似乎无法使其正常工作.截至目前，我尚未使用任何SDK.一些细节-对于Cognito池，我将设置ID提供程序设置为cognito用户池，Oauth流非法授予"&作用域为"openid".使用客户端机密也创建了一个应用程序(&域).电子邮件是唯一的字段.-在API网关上，我为cognito auth&添加了相同的用户池；标头为授权".没有添加作用域，也没有令牌验证.

I was trying to get my API gateway work with Cognito user pools authorizer but I cannot seem to get it to work. I am not using any SDK as of now. Some details - for Cognito pool, I have setup ID provider as cognito user pool, Oauth flow 'impilicit grant' & scope as 'openid'. Created an app (& domain) with client secret also generated. Email is the only field. - on API gateway I added the same user pool for cognito auth & header as 'Authorization'. No scope was added and no token validation.

我使用Cognito的默认登录页面登录&检索"id_token"(登录后出现在URL中)&在邮递员中使用该密码将我的API触发为"401未经授权".我在API网关授权者测试工具&中使用了相同的令牌我仍然遭到未经授权.显然，我的问题就是这个问题.

I use Cognito's default sign-in page to log in & retrieve the 'id_token' (present in URL after sign in) & use that in postman to fire my API to a '401 unauthorized'. I use the same token in the API gateway authorizer test tool & i still get unauthorized. So clearly my token is the problem.

我已经尝试了oauth流程&的各种组合.范围和具有lambda集成的api网关，可通过模拟集成创建另一个网关.还创建了不同的用户池&与&没有客户机密，也会出现同样的错误.

I have already tried various combinations of oauth flows & scopes & api gateway with lambda integration to creating another one with mock integration. Also created different user pools & apps with & without client secret, to same error.

上面的方法不起作用(相信我自己有错)，我会没事的，但是对于尝试过的同事来说，同样的方法也可以.唯一的区别是，登录后，他定向到本地主机页面，在那里他捕获了相同的'id_token'&使用该令牌成功访问API网关.

I would have been fine with above not working (believing an error on my part) but the same thing works for a colleague who tried. Only difference is, after log-in, he directed to a localhost page where he captured the same 'id_token' & hit API gateway with that token, successfully.

所以我不知道有什么区别?它不应该按照我尝试的方式工作吗?

So I can't figure out what the difference is? Is it not supposed to work the way I am trying?

当我从邮递员那里访问API时，一些cloudwatch访问日志.(也尝试过卷曲)

Some cloudwatch access logs when i hit the API from postman. (also tried curl)

{"requestId":"bb9ba6a2-6c25-11e8-b024-530b33bce48d"，"ip":"x.x.x.x"，"caller":-"，用户":-"，"requestTime":"09/Jun/2018:20:43:15 +0000"，"httpMethod":"GET"，"resourcePath":"/test"，"status":"401"，"protocol":"HTTP/1.1"，"responseLength":"26"，"authProvider":-"，"authType":-"，"claimProperty":-"，财产": "-"，"principalId":-"}

{ "requestId": "bb9ba6a2-6c25-11e8-b024-530b33bce48d", "ip": "x.x.x.x", "caller": "-", "user": "-", "requestTime": "09/Jun/2018:20:43:15 +0000", "httpMethod": "GET", "resourcePath": "/test", "status": "401", "protocol": "HTTP/1.1", "responseLength": "26", "authProvider": "-", "authType": "-", "claimProperty": "-", "property": "-", "principalId": "-" }

谢谢.感谢您的帮助.

推荐答案

事实证明，复制 access_token 也是一个非常愚蠢的错误.使用正确的 id_token 可以正常工作.花了我两天时间才解决！

Turned out to be a really idiotic mistake of copying the access_token as well. With the right id_token it worked. Took me 2 days to figure it out!!!

这篇关于API网关Cognito用户池授权者-未经授权的401的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！