从 AWS Cognito 获取 401 未经授权 +从Postman或cURL访问时的API网关

发布于 2025-01-11 11:32:11 字数 1243 浏览 0 评论 0原文

我尝试使用 AWS Cognito 提供的令牌通过 Postman 或 cURL 访问 URL，但失败了。

我使用下面的 CloudFormation 模板创建了一个带有 JWT 身份验证的 API。

https://github.com/awsdocs/amazon-api-gateway-developer-guide/blob/main/cloudformation-templates/HTTP/http-with-jwt-auth.yaml

登录后，我可以使用返回的 URL 和 access_token 访问 lambda 函数。这正如预期的那样工作：

http://<api_url>/?access_token=<token>

但是当我尝试使用标头中的 access_token 从 Postman 或 cURL 访问它时，它会输出 401。我希望获得访问权限。

$ curl -v -X GET <url> -H "Authorization: <token>"
{"message":"Unauthorized"}

我尝试过什么：

我尝试添加 'Content-Type: application/json'，但仍然得到 401。
我尝试使用 Authorization: Bearer，但仍然得到 401。
该模板仅返回 access_token，但我的另一个堆栈也返回 id_token，并且两者都返回
401 完整的返回标头是：

HTTP/2 401
date: Thu, 03 Mar 2022 20:12:58 GMT
content-type: application/json
content-length: 26
www-authenticate: Bearer
apigw-requestid: ObIjqhmPIAMEJtA=
* Connection #0 to host <url> left intact
{"message":"Unauthorized"}

原文

I'm trying to use the token provided by AWS Cognito to access a URL via Postman or cURL, but I'm failing to.

I have used the CloudFormation template bellow to create an API with a JWT authentication.

https://github.com/awsdocs/amazon-api-gateway-developer-guide/blob/main/cloudformation-templates/HTTP/http-with-jwt-auth.yaml

After signing-in, I can access the lambda function using the returned URL and access_token. This works just as expected:

http://<api_url>/?access_token=<token>

But when I try to access it from Postman or cURL using the access_token in the header, it outputs a 401. I was expecting to have access granted.

$ curl -v -X GET <url> -H "Authorization: <token>"
{"message":"Unauthorized"}

What have I tried:

I have tried to add 'Content-Type: application/json', but still get 401.
I have tried to use Authorization: Bearer <token>, but still get 401.
This template only return the access_token, but another stack I have also returns the id_token, and a 401 is returned for both
The
complete returned header is:

HTTP/2 401
date: Thu, 03 Mar 2022 20:12:58 GMT
content-type: application/json
content-length: 26
www-authenticate: Bearer
apigw-requestid: ObIjqhmPIAMEJtA=
* Connection #0 to host <url> left intact
{"message":"Unauthorized"}

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

别念他 2025-01-18 11:32:11

JWT Authorizer 配置为：

JWTAuthorizer:
    Type: AWS::ApiGatewayV2::Authorizer
    Properties: 
      ApiId: !Ref MyAPI
      AuthorizerType: JWT
      IdentitySource: 
        - '$request.querystring.access_token'
      JwtConfiguration: 
        Audience: 
        - !Ref AppClient
        Issuer: !Sub https://cognito-idp.${AWS::Region}.amazonaws.com/${UserPool}
      Name: test-jwt-authorizer

IdentitySource 必须是“$request.header.Authorization”才能从 header.Authorization 读取。

The JWT Authorizer is configured as:

JWTAuthorizer:
    Type: AWS::ApiGatewayV2::Authorizer
    Properties: 
      ApiId: !Ref MyAPI
      AuthorizerType: JWT
      IdentitySource: 
        - '$request.querystring.access_token'
      JwtConfiguration: 
        Audience: 
        - !Ref AppClient
        Issuer: !Sub https://cognito-idp.${AWS::Region}.amazonaws.com/${UserPool}
      Name: test-jwt-authorizer

The IdentitySource must be '$request.header.Authorization' in order for it to read from header.Authorization.

回复收藏 0 原文

~没有更多了~