API gateway not accepting the token received from @aws-sdk/client-cognito-identity-provider using AdminInitiateAuthCommand

[hirenchauhan2]

I'm authenticating users via Username/Password on my Nodejs server using the AdminInitiateAuthCommand with AuthFlow as ADMIN_USER_PASSWORD_AUTH. I'm getting the response as below structure:

{
  authentication: {
    '$metadata': {
      httpStatusCode: 200,
      requestId: '....',
      extendedRequestId: undefined,
      cfId: undefined,
      attempts: 1,
      totalRetryDelay: 0
    },
    AuthenticationResult: {
      AccessToken: 'Token....',
      ExpiresIn: 86400,
      IdToken: 'Token.....',
      RefreshToken: 'Token.....',
      TokenType: 'Bearer'
    },
    ChallengeParameters: {}
  }
}

The AccessToken then used for authenticating the REST APIS via authorizer set in API Gateway using custom header and not using standard Authorization header. Previously, I was using the amazon-cognito-identity-js package to authenticate users and passing the access token as response to clients (browser & mobile app) and it was working totally fine without any issues.

After I changed my code from this:

import {
  CognitoUserPool,
  AuthenticationDetails,
  CognitoUser,
  CognitoUserSession,
} from 'amazon-cognito-identity-js';

export class CognitoService {
  async authenticateUser(
    username: string,
    password: string
  ): Promise<CognitoUserSession> {
    const authenticationData = {
      Username: username,
      Password: password,
    };
    const authenticationDetails = new AuthenticationDetails(authenticationData);
    const cognitoUser = new CognitoUser({
      Username: authenticationData.Username,
      Pool: UserPool,
    });
    return new Promise<CognitoUserSession>((resolve, reject) => {
      cognitoUser.authenticateUser(authenticationDetails, {
        onSuccess: (result) => {
          resolve(result);
        },
        onFailure: (err) => {
          reject(err);
        },
      });
    });
  }

To this:

import {
  CognitoIdentityProviderClient,
  ForgotPasswordCommand,
  SignUpCommand,
  AuthFlowType,
  AdminInitiateAuthCommand,
} from '@aws-sdk/client-cognito-identity-provider';

export class CognitoService {
  private cognitoClient: CognitoIdentityProviderClient;
  constructor() {
    this.cognitoClient = new CognitoIdentityProviderClient({
      region: environment.AWS_REGION,
      credentials: {
        accessKeyId: environment.AWS_ACCESS_KEY_ID,
        secretAccessKey: environment.AWS_SECRET_ACCESS_KEY,
      },
    });
  }

  async authenticateUser(username: string, password: string) {
    const command = new AdminInitiateAuthCommand({
      ClientId: userPoolData.ClientId,
      UserPoolId: userPoolData.UserPoolId,
      AuthFlow: AuthFlowType.ADMIN_USER_PASSWORD_AUTH,
      AuthParameters: { USERNAME: username, PASSWORD: password },
    });

    return this.cognitoClient.send(command);
  }
}

I had to change the code to get the tokens from previous and new responses from the authenticateUser method but overall, the nothing else changed majorly.

Old response handling of authenticateUser:

const authentication = await this.cognitoService.authenticateUser(
  email,
  password
);
const refreshToken = authentication.getRefreshToken().getToken();
const authToken = authentication.getIdToken().getJwtToken();
// other operations...

And new way:

const authentication = await this.cognitoService.authenticateUser(
  email,
  password
);
const refreshToken = authentication.AuthenticationResult.RefreshToken;
const authToken = authentication.AuthenticationResult.AccessToken;
// other operations      

I even manually checked in API Gateway test authorizer to see if the generated token works or not, there also I go 401 Unauthorized response: Unauthorized request: request id....

One change I had to make in change Cognito App client was to add the one more Authentication Flow: ALLOW_ADMIN_USER_PASSWORD_AUTH in order to AdminInitiateAuthCommand work, as the normal InitiateAuthCommand does not work for server-side authentication or maybe I'm not understanding it correctly how to use that.

Can anyone help me what am I doing wrong here? or should I just stay with amazon-cognito-identity-js?

Thank you

[RanVaknin]

Hi @hirenchauhan2,

The error you are seeing is returned from your lambda authorizer. After the auth process, you are given a JWT token. You can decode that token manually and examine the contents. Is it different than the one returned by using the other library?

From what I can tell in your first implementation you are using the IdToken, and in the second example you are providing the access token (which normally you would use), is this your intention?

// old:
const authToken = authentication.getIdToken().getJwtToken(); // ID token

// new:
const authToken = authentication.AuthenticationResult.AccessToken;  // access token

// new with ID Token:
const idToken = authentication.AuthenticationResult.IdToken; // ID token

In a lambda authorizer you'd want to use the access token because it contains important information like scope and claims which is normally needed for authorization, whereas an ID token would be more for getting user information.

So maybe your lambda authorizer is authorizing based on user info found in the ID token? This would be up to you to determine how you are handling auth on your lambda authorizer. I suggest you give this article a read as it highlights how a Lambda Authorizer works.

All the best,
Ran~

[hirenchauhan2]

Thanks for the reply @RanVaknin, it was ID token that I needed for my case. We're only checking the user info to confirm existence of user in cognito and handle the authorization at application level.

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.