I am authenticating a user from Cognito and I need to make a request to my API with the token that is received. My external API only accepts tokens of the id type and does not accept the access type that is normally sent when I perform an api.asUser().withProvider(…).fetch(…). In my API I need the email, picture and name fields to exist in the token sent, so I need tokenUse: id_token . I have tried several ways to do this but have not been successful. Is it possible to do this? What paths should I follow?
Hey Pietro, I recently struggled through this.
The forge oauth2 wrapper only works with oauth2 access tokens (not id tokens) because the retrieveProfile action your forge app manifest configures for the cognito endpoint (https://docs.aws.amazon.com/cognito/latest/developerguide/userinfo-endpoint.html) only accepts an access token, not an id token.
So you need to configure API Gateway (I assume this is what you’re using if you mentioned you API only accepts id tokens) and cognito to authorize access tokens, which is mostly detailed though the docs linked in this answer amazon web services - API Gateway Cognito Authorizer not authorizing Access Token but will authorize Id Token: 401 Unauthorized - Stack Overflow (also just a lot of googling “api gateway 401 access token”). Make sure you redeploy your API after making the API Gateway changes for them to take effect.
Also make sure you configure forge to request the custom scope you setup (even if you don’t use it for anything, I think API gateway needs that scope present just to initiate access token authorization instead of id token, not 100% sure on this).
Then finally once your auth’d request make it to your API, use the cognito client (I’ve link the JS one, but should work in other languages) to fetch the user info if you need the extra data contained in the id token like custom fields (see link in next comment, I can only put 2 in this post??? thanks atlassian)
Hope that saves you some of the struggles I’ve had with this process, the fact it isn’t easier to work with access tokens out of the box on cognito/API gateway is very frustrating.
2 Likes
Cognito client docs link: