调用 AWS Cognito 安全端点时获取 401

Question

I have a Cognito user pool. The pool has an application integration for JavaScript that does not have a secret. I am able to login using the following code

  private static async signin(role: UserRole): Promise<string> {
    const user = getUser();

    const cognitoUser = new CognitoUser({
      Username: user.username,
      Pool: "myuserpool"
    });

    const authDetails = new AuthenticationDetails({
      Username: user.username,
      Password: user.password
    });

    return new Promise((resolve, reject): void => {
      cognitoUser.authenticateUser(authDetails, {
        onSuccess: result => {
          this.credentials[role] = result.getIdToken().getJwtToken();
          resolve(this.credentials[role]);
        },
        onFailure: err => {
          console.log(`Failed login to cognito with ${role}: `, err);
          reject(err);
        }
      });
    });
  }

When I make a call to my endpoint with the aws-api-gateway-client, I can see the token attached, but it always returns a 401 unauthorized.

It's super confusing because I can take this token and paste it into the ApiGateway Authorizer and receive a 200 ok. So it seems the token is valid, just not working properly.

EDIT: Here is the flow....

• I have a Cognito user pool
• I can login to that userpool with a username / password and get a token back
• I then set "Authorization": "bearer {token}" on the aws-api-gateway-client request headers.
• The request fails with a 401 Unauthorized
• If I take that same token and paste it in the test section of the ApiGateway Authorizer, It tells me the token is valid.

Answer 1

I don't think you need the "bearer" part for the header value. Cognito authorizers are just looking for the key/token. Try a header of "Authorization": "<token_goes_here>".