Authorization and Authentication for API Gateway



I’m trying to gain an understanding of how the whole authentication and authorization protocols work when used with Cognito. The page on serverless-stack regarding userpool vs identity pool was easily the best one i’ve read yet, but i’m trying to work out if an identity pool is necesary, when i think the custom authorizer on the api gateway could do the same thing?

1.) Is the authorizor on the API gateway just the same as the identity pool (do they both confirm authorization)? I see a lot of examples of people using an authorizor on the api gateway or make calls to CognitoIdentityCredentials, but not both.

2.) What are the implications of using response_type of token instead of getting an access code and doing additional calls with the access code to get authorization code then jwt token to the back end of the third party?

3.) What’s the access token for? Cognito creates both id token and access token, and talks about how the access token grants authorization, but i don’t understand? Is it passed into some of the aws sdk calls?

I understand this might be a little outside of the remit of the serverless tools, but i’ve posted these questions else where to no answer. The main reason we’re looking at using a custom authorizer is to dynamically generate temporary policies that are scoped to a tenantId that’s stored in the user pool. Thins like only allowing access to folders that have the tenant id as the name, or rows in dynamodb that use the tenant id as the partition key. Really appreciate the assistance.