Multi-pool CognitoAuthorizer only accepting id token from first-listed pool

Question

I have a RestApi declared with Cloudformation using AWS::Serverless::Api and created a default cognito authorizer there and declaring a UserPoolArn pointing to my UserPool1's.

Then, I created a custom resource, with RestApiId and a UserPool2ARN properties, so it could find (the APIG's authorizers) and add the second pool into the CognitoAuthorizer.

It seems to work, AWS Console API Gateway Authorizers page shows the CognitoAuthorizer with TWO different pools.

But the problem is when I "initiateAuth" different users from each pool to get an "idtoken", only the idtoken from the first-listed pool is going through. The idtoken from the other pool gets an unauthorized.

Answer

First, you should not use the ID Token to consume an API but the Access Token.

Second, as you use the Identity Token authentication method, you must has configured the `Token validation` field in the Cognito authorizer which should match the `aud` claim of the identity token [client id value] issued by the first user pool. As Client id value as unique per user pool, the identity token issued by the second user pool will never have this `aud` claim set to the right value and therefore will always fail the check.

Multi-pool CognitoAuthorizer only accepting id token from first-listed pool

관련 콘텐츠