How do I correctly authorize API Gateway with a Cognito user pool WITHOUT the hosted UI.


I am working on a mobile game where the user logs in within the app itself on my own UI. I want to lock down my API Gateway requests to only authenticated users within my Cognito user pool.

  1. In order to add custom scopes to my access tokens, I understand that I need to enable Oauth2 endpoints that come with a Hosted UI. Why do I need a mandatory hosted UI when my game already has a built-in UI to consume these endpoints? I don't want players to find other ways to access my in-game API's from outside of the game. It seems silly that I have seen so many complaints about this from many years back and it still seems to be an issue.

  2. Why does API Gateway accept the ID Token by default in the COGNITO_USER_POOLS authorizer? Everywhere I read it says best practice is to not use the ID token that contains PII when calling protected API's.


3 Answers
Accepted Answer

The hosted UI provided by Cognito is designed to handle authentication flows securely according to OAuth2 standards. While it may seem like overkill for a game app, using the hosted UI ensures your authentication meets best practices. Some key benefits are using authorized scopes, supporting SSO across clients, and advanced security features.

When calling API Gateway endpoints, it's generally recommended to use the access token instead of the ID token, as the access token does not contain PII. The ID token is accepted by default for backwards compatibility, but you can configure API Gateway to only accept the access token for increased security.

To add custom scopes to your access tokens without the hosted UI, you would need to implement the OAuth2 flows yourself to ensure they are done securely. The hosted UI handles this for you according to standards.

Cognito supports unauthenticated users by allowing temporary credentials without forcing a login. You could leverage this to avoid additional login screens in your app while still protecting API access.

profile picture
answered 2 months ago
profile picture
reviewed a month ago
  • Thank you!

    When you say "implement the OAuth2 flows yourself", do I do that with "ALLOW_CUSTOM_AUTH" on the user group?

  1. Why You Need a Hosted UI for Custom OAuth2 Scopes:

    • AWS uses a Hosted UI to make it easier and more secure for developers to use OAuth2 features, like custom scopes. Even if you have your own login UI in your game, AWS requires using these OAuth2 features through their Hosted UI to ensure security standards are met. You can still use your game's UI, but behind the scenes, you'll need to interact with AWS's system for the secure parts.
  2. Why API Gateway Accepts ID Tokens by Default:

    • API Gateway allows using ID Tokens for simplicity and flexibility. While it's easier to start with, using ID Tokens isn't the best for security because they contain personal information. The better practice is to use Access Tokens, which are meant for accessing APIs without including personal details.

Simplified Recommendations:

  • For Your Game: You can keep your custom login UI. To use advanced security features, you'll interact with AWS's system in the background. This way, you keep your game's look and feel while still being secure.

  • Use Access Tokens for APIs: When your game talks to your servers (APIs), use Access Tokens. They're safer because they don't carry personal info and limit what each token can do.

  • Keep Your Game Secure: Make sure only authorized users can access your game's servers. Use all the security tools AWS offers, like API keys and strict checks, to keep things tight.

profile picture
answered 2 months ago
  • Thanks! However this doesn't exactly answer my questions and looks like you pasted my question into chatGPT.


Greetings, To secure your API Gateway with a Cognito user pool without using the Hosted UI for a mobile game, you can:

a)Implement Authentication in Your App: Use AWS Amplify or the AWS SDK for Cognito to handle user authentication within your game's custom UI. This allows you to manage user sessions and obtain tokens directly.

b)Use Tokens for API Requests: Once authenticated, use the accessToken (recommended for API access) or idToken (contains user identity information, use judiciously) to make authenticated requests to your API Gateway endpoints.

c) Directly Interact with Cognito's OAuth2 Endpoints: If you need custom scopes, directly call Cognito’s OAuth2 endpoints (/oauth2/token and /oauth2/authorize) from your app, managing the user credentials and tokens within your game without needing the hosted UI.

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions