How to provide ID token in the Authorization header?

[pavitra-infocusp]

I'm using AWS Cognito User Pool with AWS API Gateway Cognito User Pool authorizer. It expects the Authorization header to be set to the ID token. However, AWS Amplify Android SDK passes the access token which is wrong. I have applied a workaround currently to intercept the requests and provide the correct value for the header. However, I feel like the Android SDK should support this OOTB.

Amplify configuration json

{
  "UserAgent": "aws-amplify-cli/2.0",
  "Version": "1.0",
  "auth": {
    "plugins": {
      "awsCognitoAuthPlugin": {
        "CognitoUserPool": {
          "Default": {
            "PoolId": "[redacted]",
            "AppClientId": "[redacted]",
            "Region": "us-east-1"
          }
        },
        "Auth": {
          "Default": {
            "authenticationFlowType": "USER_SRP_AUTH"
          }
        }
      }
    }
  },
  "api": {
    "plugins": {
      "awsAPIPlugin": {
        "myApi": {
          "endpointType": "REST",
          "endpoint": "https://[redacted].execute-api.us-east-1.amazonaws.com/dev",
          "region": "us-east-1",
          "authorizationType": "NONE" // "AMAZON_COGNITO_USER_POOLS" injects access token
        }
      }
    }
  }
}

Current Workaround

Added an interceptor to fetch the ID token from the current auth session.

val apiPlugin = AWSApiPlugin.builder()
    .configureClient("dynamicScreensApi") { okHttpBuilder ->
        okHttpBuilder.addInterceptor { chain ->
            runBlocking {
                val session = Amplify.Auth.fetchAuthSession() as AWSCognitoAuthSession

                val idToken = session.userPoolTokensResult.value?.idToken

                val originalRequest = chain.request()
                val updatedRequest = originalRequest.newBuilder()
                    .addHeader("Authorization", "$idToken")
                    .build()
                chain.proceed(updatedRequest)
            }
        }
    }
    .build()
Amplify.addPlugin(apiPlugin)

[pavitra-infocusp]

Related comment from SO: https://stackoverflow.com/questions/60263497/authenticating-a-rest-api-with-cognito-using-aws-amplify-android#comment129753239_60270118

By default, the ApiPlugin uses the Access Token rather than Id Token for the authorization header. If your using an Authorizer for API Gateway then you need the Id Token, so just add it like above or (Amplify.Auth.fetchAuthSession() as AWSCognitoAuthSession).userPoolTokens.value?.idToken.toString(). This will concatenate the id token before the access token, making it a valid authorization header, even though it only needs the first.

[thisisabhash]

Hello, Thank you for posting this.
You may treat Cognito as your OIDC provider to include idToken in your requests.
Please follow the steps mentioned here:
https://docs.amplify.aws/gen1/android/build-a-backend/restapi/customize-authz/#note-related-to-use-access-token-or-id-token

[pavitra-infocusp]

Thanks @thisisabhash! That helps

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.