Back

Explore Courses Blog Tutorials Interview Questions
0 votes
1 view
in AWS by (19.1k points)

I have problems getting the authorization of my API on AWS for a Cognito User Pool via HTTP headers (without AWS API Gateway SDK) to work.

My setup:

On AWS:

  • A REST API implemented on AWS Lambda (deployed via Serverless framework),
  • exposed via API Gateway using type LAMBDA_PROXY (no manual mapping)
  • Authorization on API Gateway via the provided "Cognito User Pool authorizer" (no "AWS_IAM" option, no custom coded authorizer)
  • Testing the API via Postman

On the iOS client

  • Registration/Sign-In via AWS Cognito (SDK and UI copied from the AWS Mobile Hub generated demo Xcode project)
  • Accessing the REST API via RestKit, not using the AWSAPIGateway SDK

What is working:

The API methods get properly deployed via serverless.

I can call the public (not set to use the user pool) via Postman.

For the private API methods, I can see the Cognito user pool authorizer set up in the API Gateway management console, including "Identity token source" set to method.request.header.Authorization (the default)

On iOS, I can properly register and log in as a user. I can dump the AWS Credentials details to the console, showing AccessKey, SecretKey and SessionKey.

On iOS, I can query the public API via RestKit.

When I try to call a private API method via Postman, I get back an HTTP error 401 with the body {"message": "Unauthorized"}. (Which is expected, without setting any authorization.)

What fails:

To test the authorization, in Postman, I have tried

The result was always the same 401 error.

What do I need to set as HTTP headers, in order to authorize the calls to the private API? "Authorization" should work - maybe I am missing some role permissions?

How can I better debug the permissions/authorization flow?

1 Answer

0 votes
by (44.3k points)

Use this to get the session:

AWSCognitoIdentityUserPool *pool = [AWSCognitoIdentityUserPool CognitoIdentityUserPoolForKey:AWSCognitoUserPoolsSignInProvi‌​derKey]; 

AWSCognitoIdentityUser *user = [pool currentUser]; 

AWSTask<AWSCognitoIdentityUserSession *> *task = [user getSession];

Then “Authorization” header is set to task.result.idToken.tokenString and it works.

Need more information about AWS Lambda? Then read the tutorial on Amazon’s most reliable serverless computing service, AWS Lambda.

Related questions

Want to get 50% Hike on your Salary?

Learn how we helped 50,000+ professionals like you !

0 votes
1 answer
asked Jul 26, 2019 in AWS by yuvraj (19.1k points)
Welcome to Intellipaat Community. Get your technical queries answered by top developers!

28.4k questions

29.7k answers

500 comments

94.6k users

Browse Categories

...