How do I create and troubleshoot Amazon Cognito and API Gateway integrations?

3 minute read

I want to create and troubleshoot Amazon Cognito and Amazon API Gateway integrations.

Resolution

To create and troubleshoot authorizers with API Gateway REST APIs or API Gateway HTTP APIs, complete the following steps:

Authorizers with API Gateway REST APIs

Create Amazon Cognito authorizers

To create an authorizer for a REST API, see How do I set up an Amazon Cognito user pool as an authorizer on an API Gateway REST API?

Troubleshoot Amazon Cognito authorizers

Authorizers in Amazon Cognito use either identity tokens or access tokens for authorization. If you receive 4xx errors, then the OAuth Scopes option is misconfigured in the API Gateway console.

To use an identity token for authorization, leave the OAuth Scopes option blank. To use an access token for authorization, configure OAuth Scopes. For more information, see Integrate a REST API with an Amazon Cognito user pool.

To troubleshoot 401 Unauthorized errors, see How do I troubleshoot "401 Unauthorized" errors from an API Gateway REST API endpoint after I've set up an Amazon Cognito user pool?

To troubleshoot HTTP 500 internal errors, check the configuration of your user pool's pre-token generation AWS Lambda trigger. If the Lambda trigger fails to run, then the user pool endpoint can't return identity tokens and an HTTP 500 error occurs. For more information, see Customizing user pool workflows with Lambda triggers.

Create Lambda authorizers

To create an API Gateway Lambda authorizer for a REST API, see Steps to create an API Gateway Lambda authorizer.

Troubleshoot Lambda authorizers

To troubleshoot 401 Unauthorized errors, see Why am I getting API Gateway 401 Unauthorized errors after creating a Lambda authorizer?

Authorizers with API Gateway HTTP APIs

Create JWT authorizers

To create a JSON Web Token (JWT) authorizer, configure an identity provider that issues JWTs. After you attach a JWT authorizer to a route, clients must include a JWT from the identity provider in API requests. API Gateway validates the JWT's claims, and then allows or denies requests based on the validation. For more information, see Controlling access to HTTP APIs with JWT authorizers.

Troubleshoot JWT authorizers

To troubleshoot JWT authorizer errors, see Troubleshooting issues with HTTP API JWT authorizers and How to secure API Gateway HTTP endpoints with JWT authorizer. To validate JWTs, see Verifying a JSON Web Token.

Create Lambda authorizers

To create an API Gateway Lambda authorizer for an HTTP API, see Create a Lambda authorizer.

Troubleshoot Lambda authorizers

To resolve 500 Internal Server errors and other related errors, see Troubleshooting Lambda authorizers.

Topics

Serverless Front-End Web & Mobile Networking & Content Delivery Security, Identity, & Compliance

Relevant content

Cognito with API gateway integration
upon cloud
asked 2 years ago
Troubleshooting CloudFormation Deployment: Missing Authorizer and Routes in API Gateway
ThomasB
asked 9 months ago
Protect Public Restful APIs with API Gateway and oauth2.0
Accepted Answer
zeeshan
asked a year ago
Amazon Cognito, API Gateway and S3 integration
nautilusme
asked 4 years ago
API Gateway and Auth0 integration - best practices
Accepted Answer
Albeda_S
asked 4 years ago
How do I troubleshoot 5xx errors for API Gateway REST API?
AWS OFFICIALUpdated a month ago
How do I integrate an API Gateway REST API with Amazon SQS and resolve common errors?
AWS OFFICIALUpdated 3 months ago
How do I troubleshoot permissions errors from API Gateway HTTP APIs with a Lambda integration or Lambda authorizer?
AWS OFFICIALUpdated a year ago
How do I turn on CloudWatch Logs for troubleshooting my API Gateway REST API or WebSocket API?
AWS OFFICIALUpdated 5 months ago
Implementing request parameters validation in Amazon API Gateway REST API with Cloud Development Kit (CDK)
EXPERT
Vihang Shah
published 7 months ago