AWS apigateway medium security documentation change
Summary
Explicitly stated access tokens cannot be used to test Cognito authorizers
Security assessment
Prevents potential misconfiguration by clarifying only identity tokens are valid for testing, addressing authorization security controls
Diff
diff --git a/apigateway/latest/developerguide/apigateway-enable-cognito-user-pool.md b/apigateway/latest/developerguide/apigateway-enable-cognito-user-pool.md index 481c17238..6abf8fadd 100644 --- a//apigateway/latest/developerguide/apigateway-enable-cognito-user-pool.md +++ b//apigateway/latest/developerguide/apigateway-enable-cognito-user-pool.md @@ -41 +41,3 @@ You can use a stage variable to define your user pool. Use the following format - 5. After creating the `COGNITO_USER_POOLS` authorizer, you can optionally test invoke it by supplying an identity token that's provisioned from the user pool. You can obtain this identity token by calling the [Amazon Cognito Identity SDK](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-integrate-apps.html) to perform user sign-in. You can also use the [`InitiateAuth`](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html) action. If you do not configure any **Authorization scopes** , API Gateway treats the supplied token as an identity token. + 5. After creating the `COGNITO_USER_POOLS` authorizer, you can test invoke it by supplying an identity token that's provisioned from the user pool. You can't use an access token to test invoke your authorizer. + +You can obtain this identity token by calling the [Amazon Cognito Identity SDK](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-integrate-apps.html) to perform user sign-in. You can also use the [`InitiateAuth`](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html) action. If you do not configure any **Authorization scopes** , API Gateway treats the supplied token as an identity token.