How can I configure my ASP.NET Core 6 Web API controllers to use AWS Cognito authorization?
This is the code I wrote in my program.cs
file:
var AWSconfiguration = builder.Configuration.GetSection("AWS:Cognito");
var userPoolId = AWSconfiguration["UserPoolId"];
var clientId = AWSconfiguration["ClientId"];
var region = AWSconfiguration["Region"];
builder.Services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
options.Authority = $"https://cognito-idp.{region}.amazonaws.com/{userPoolId}";
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
ValidateIssuer = true,
ValidateAudience = true,
ValidIssuer = $"https://cognito-idp.{region}.amazonaws.com/{userPoolId}",
ValidAudience = clientId,
};
});
I'm getting this error:
www-authenticate: Bearer error="invalid_token",
error_description="The audience 'empty' is invalid"
I validated my clientID in the AWS console.
Thanks for the help
Cognito access tokens don't have an audience claim - though ideally they should. In other authorization servers, APIs check the received access token has the expected logical name, such as api.mycompany.com
.
For Cognito you will need to configure .NET to not validate the audience, similar to this. Other token validation parameters are derived from the metadata endpoint derived from the issuer base URL:
private void ConfigureOAuth(IServiceCollection services)
{
services
.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.Authority = this.configuration.IssuerBaseUrl;
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = false,
};
});
services.AddAuthorization(options =>
{
options.FallbackPolicy = new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build();
});
}
The FallbackPolicy then ensures that authentication is applied globally, except for endpoints annotated with [AllowAnonymous]
.
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments