Broadly speaking there are 2 ways to authenticate users with Cognito:

1. Using OIDC
2. Through the Cognito API.

Using OIDC requires the use of Cognito as an authorization server, which means using the managed UI or classic hosted UI.

The options you’ve described won’t work because they mix elements of both.

So if you’re using the API then you need to authenticate as you’re already doing. Then if you want to set a HTTP only cookie I think you have 2 obvious options:

• post the jwt to the lambda which validates the signature and sets a cookie
• or move the auth code to the lambda itself which does the API calls and then sets the cookie.

Both options would need the lambda to be on the same domain e.g front it all with CloudFront.

Alternatively use the managed login and OIDC. Your call back uri can go to the lambda which can fetch the tokens and set HTTP only cookies. That would generally be my recommendation.