我正在尝试使用 Cognito 用户池在 API 上设置安全性.我要返回 401 Unauthorized.

I'm trying to setup security on an API using Cognito user pools. I'm getting back 401 Unauthorized.

API 和用户池已存在，我一直在使用用户池登录应用程序.我现在正在尝试保护 API 调用.

The API and User Pools are existing, and I've been using the user pool to log into an application. I'm now trying to secure the API calls.

我在 API 上创建了一个授权者，

I created an authorizer on the API,

然后我将授权者添加到 API 中的一个 GET 方法中

Then I added the authorizer to one GET method in the API

最后我尝试在 Postman 中测试 API.我正在使用 AWS 签名授权.

Then finally I tried to test the API in Postman. I'm using the AWS Signature authorization.

调用该方法返回401.该方法之前在没有安全性的情况下运行，关闭授权使其再次工作(没有安全性).

Calling the method returns 401. The method functioned before with no security, and turning off the authorizer makes it work again (without security).

任何想法我错过了哪一步?

Any ideas what step I'm missing?

推荐答案

AWS 签名授权不同于自定义授权者.

The AWS Signature authorization is different than a Custom Authorizer.

AWS 签名授权 (Postman) 请求 AWS AccessKey 和 SecretKey 来验证请求.这对应于 API 网关中的 IAM 身份验证.AccessKey 和 SecretKey 通过 IAM 接收.

The AWS Signature authorization (Postman) requests an AWS AccessKey and SecretKey to authenticate requests. This corresponds to IAM Authentication in API Gateway. The AccessKey and SecretKey are received through IAM.

自定义授权者采用名为 #id_token 的 JWT由您指定的 Cognito 用户池发布.要测试令牌的有效性，请转到您的自定义授权者并单击测试，然后将令牌复制并粘贴到文本区域中.

A Custom Authorizer takes a JWT called #id_token that is issued by your specified Cognito User Pool. To test the validity of the token, go to your custom authorizer and click test, and then copy and paste the token into the text area.

执行自定义授权者身份验证的方式是这样的:

The way to perform the Custom Authorizer authentication is this:

按照 AWS 配置使用 Cognito 自定义授权器配置 API 网关，并将您的用户池作为源(看来您做得正确)在邮递员中使用 OAuth 2.0 作为授权，您的 #id_token 作为访问令牌，或者添加标题:Authorization 和值Bearer 和 #id_token obtain an #id_token from the your user pool by following AWS Configuration Configure API gateway with a Cognito custom Authorizer with your user pool as the source (Seems that you have done correctly) Use OAuth 2.0 as Authorization in postman, with your #id_token as the Access Token, Or add the header: Authorization with the value Bearer and the #id_token

如果您希望我添加 AWS 签名身份验证流程，请发表评论.

Drop a comment if you want me to add the AWS Signature Auth Flow.