Type Alias CognitoUserPoolAuthorizerProps<AuthScopesT>

Name of secret in AWS Secrets Manager that stores basic auth credentials for the backend service, to be forwarded to the backend if Cognito user pool authentication succeeded.

The secret value must follow this format:

{ "username": "<username>", "password": "<password>" }
Copy

This prop solves the following use-case:

• You want to do Cognito user pool authentication in the API Gateway
• You want an additional auth check in the backend, but you don't want to deal with Cognito there
• The backend uses basic auth

This prop solves this by letting you specify credentials to pass to the backend after API-GW authentication succeeds. You can pass the encoded credentials through AlbIntegrationProps.mapParameters, using the authorizer.internalAuthorizationHeader context variable, like so:

mapParameters: (parameters) => parameters.overwriteHeader(
  // 'Authorization' header cannot be overridden, so we use a custom header
  "X-Internal-Authorization",
  apigw.MappingValue.contextVariable("authorizer.internalAuthorizationHeader"),
)
Copy

The backend can then check the X-Internal-Authorization header.

Verifies that access token claims contain the given scope.

When defined as part of a resource server, scopes are on the format: {resource server identifier}/{scope name}, e.g. external/view_users.

To get more type safety on this parameter, see the docs for the AuthScopesT type parameter on ApiGateway.