Securing AWS HTTP APIs with JWT Authorizers

Learn about securing HTTP APIs built on AWS API Gateway using JWT authorization.

Brought to you by John Brennan.

Read on


Please let us know if you have any questions!

Thanks for a great post :+1:
What are your thoughts on the next stage options - Using Cognito Groups/Roles to give finer control access to the APIs. Some users have Get access and some have post? and how could this get surfaced going forward - Visible audits of API access layer?

I’m sure @john.brennan will address that once he’s online!

Hi Julian! Those are great questions.

Regarding API access control - once you have your Authorizer configured, you can specify authorization scopes that are required to access the route:

This configures the Authorizer to inspect the scope claim inside the JWT. More information on that is available in the JWT Authorizer docs. If you’re using Cognito as your identity provider, custom scopes can be added to your access tokens by adding a Resource server to your User Pool.

As far as Cognito Groups/Roles go, JWT Authorizers don’t treat access tokens from Cognito any differently than those originating from other identity providers, so there’s no configuration options for leveraging Cognito groups/roles in the Authorizer configuration (unlike API Gateway Rest APIs, which can be configured to use Cognito User Pools as an Authorizer.)

That said: access tokens from Cognito do include Groups as a custom claim in the token payload in the cognito:groups property, which could be accessed within your Lambda from the context object. I haven’t tested this yet, but I believe you could get the groups using['cogito:groups']. Using this, you could manually check the access token’s associated groups inside your Lambda implementation.

To your question about logging: HTTP APIs can write access logs to CloudWatch. If there are specific JWT claims you want to add to the logs, they’re available as logging variables. That should provide visibility into the access layer of your HTTP API.

Hope that answered your questions - glad you enjoyed the article!

Hi John

Really useful tutorial which I am trying to combine with Holly’s tutorial using within Vuejs. I got everything working with the JWT tokens and get make queries using curl and Postman.

However I have run into a problem with using CORS in the new AWS API Gateway HTTP API.

I have enabled it and set the Access-Control-Allow-Origin to * however Holly’s VueJS app keeps saying that there isn’t that appropriate header.

If I check the response headers and i can confirm that header hasn’t been applied.

Any ideas how I can get this to work?

This was a great post, I was looking for a step by step tutorial and this checked all the boxes.


Glad that you liked it @kcooper! Huge kudos @john.brennan!