By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Getting error 401 when calling a POST REST API through API Gateway integrated with Cognito

0

Hello everybody.

I made a simple application in javasctipt that call a POST REST API in API Gateway. The autorization is through a user pool I configured in Cognito. I do the authentication through my application with the username and password, and it works fine, but when I tried to call the a POST request I got the erro 401. I do use a Lambda funtion in the Integration Request of API Gateway to insert the information (payload) in a Dynamodb. I'm using the idtoken to make the request, look: fetch( "https://4naofqo682.execute-api.us-east-1.amazonaws.com/dev/compare-yourself", { method: "POST", headers: { Authorization: Bearer ${idToken}, // Send the ID token in the Authorization header "Content-Type": "application/json", }, body: JSON.stringify(payload), } )

In Cloudwath, I tried to configure some logs and I got this: (31e2b5af-2d25-4c71-8205-a0d391b4b0cf) Gateway response body: "statusCode": "", "errorMessage": ""Unauthorized"", "requestId": "31e2b5af-2d25-4c71-8205-a0d391b4b0cf", "resourcePath": "/compare-yourself", "httpMethod": "POST", "sourceIp": "201.93.71.229", "userAgent": "curl/8.7.1", "claims": ""

The clains looks stranger for me, but I'm not sure.

When I test the token in Test Authorizer, the token is valid.

In time, I tested either in curl and Postman and I got the same error.

Any help?

1 Answer
-1

The 401 Unauthorized error you're encountering when calling your POST REST API through API Gateway integrated with Cognito could be due to a few reasons:

  1. Token Type Mismatch: You're using the ID token for authorization, but the API might be configured to expect an access token instead. Cognito uses different token types for different purposes. The ID token is primarily used for authentication, while the access token is used for authorization.

  2. OAuth Scopes Configuration: If your API is set up to use access tokens, the OAuth Scopes option in the API Gateway console might be misconfigured. For access token authorization, you need to properly configure the OAuth Scopes. If you're using ID tokens, the OAuth Scopes should be left blank.

  3. Authorizer Configuration: Ensure that your Cognito authorizer is correctly set up in API Gateway. Double-check that the user pool and app client settings in API Gateway match those in your Cognito configuration.

  4. Token Expiration: Verify that the token you're using hasn't expired. Tokens have a limited lifetime, and using an expired token will result in a 401 error.

To troubleshoot this issue:

  1. Check your API Gateway configuration to confirm whether it's set up for ID tokens or access tokens.

  2. If using access tokens, ensure the OAuth Scopes are correctly configured in the API Gateway console.

  3. Verify that the Cognito authorizer settings in API Gateway are correct and match your Cognito user pool configuration.

  4. Try using an access token instead of an ID token in your API calls. You may need to adjust your authentication flow to request and use the appropriate token type.

  5. Check the token's expiration and ensure you're using a fresh, valid token for each request.

  6. Review your Cognito user pool settings, particularly the app client configuration, to ensure it's set up correctly for the type of authorization you're attempting.

If the issue persists after checking these points, you may want to enable more detailed logging in API Gateway and Cognito to get more information about the authorization process and any specific errors occurring.
Sources
Create and troubleshoot Cognito and API Gateway integrations | AWS re:Post
Configuring machine to machine Authentication with Amazon Cognito and Amazon API Gateway – Part 2 | AWS Cloud Operations & Migrations Blog

profile picture
answered 2 months ago
  • I have tried all the suggestions but I am still getting the 401 error.

  • Something I tried and it worked, when I removed the Cognito integration option in the API Gateway request method, my lambda function was called, the token was validated and returned status 200. Anyway, I still don't understand why this integration with Cognito doesn't work.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions