Use Amazon Cognito as an OIDC / OAuth Identity provider for API Gateway HTTP APIs JWT Authorizers
Amazon API Gateway HTTP APIs supports a new type of authorizer called JWT Authorizer. You deliver JWT tokens to API Gateway and it verifies them with the configured issuer. It’s fairly straight forward to configure.
- Identify the source for the incoming token that has your identity info. This is almost always the
Authorizationheader. - Configure your Identity Provider’s
Issuer URL.This is the domain name and path to the well known metadata endpoint but do not include the actual.well-known open-idconfigurationpath or thejwks.json file
3. Configure the Audience. This is your Cognito Userpool’s App Client ID.
Setup Amazon Cognito as your IDP
For Identity Source, use the $ expression syntax. I am using $request.header.Authorization to tell API Gateway to look in the Authorization header. You can use any header you want.
For the Issuer URL, it should be in this format:
https://cognito-idp-[aws region].amazonaws.com/[userpool id]
For example, my Cognito Userpool is in us-west-2. Do NOT include a / at the end of the path. Cognito will automatically append /.well-known/open-idconfiguration Here is my Issuer URL:
https://cognito-idp.us-west-2.amazonaws.com/us-west-2_sDg68GJKt
Finally, add at least 1 Audience. An Audience is an App Client:
Look this up in your Cognito Userpool App Client settings. It’s the App client id. You can add multiple IDs if you want many different App Clients from the same user pool to authorize.
