4

I am attempting to get a token via the Cognito API, and failing. I've read through their site, and I'm having a difficult time through their vague examples.

My goal is to have a 3rd part service run monitoring test on an api, which requires it to authenticate and get an identity token and an access token. I am using the yes/no portion of Cognito, which are the User Pools (the simplest of the bunch).

From looking at the documentation, https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-reference.html, I'm not quite understanding the flow.

If I examine the authorize endpoint, it will, using the http GET method, access a UI for an individual to manually enter the information. (doc: https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html)

looking at the token endpoint, it seems like I might be able to do a machine to machine, but it starts to get odd as the documentation, https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html, states I need to get an authentication code, which circles back to the previous paragraph I wrote about the authorize endpoint.

Thanks, Kelly

KellyTheDev
  • 891
  • 2
  • 12
  • 31
  • I am working with aws now regarding this issue. Its a total pain and catch 22 will report back – Tampa Jul 08 '18 at 01:29

3 Answers3

2

Answer is a bit late, but had the same question recently. There is actually some documentation available for this use case, but it´s maybe not complete. So what we are looking for is this: https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html

To get this working you need - after having setup a User Pool - to add an app client for your server to server connection. In the User Pool go to App clients enter image description here

and add an app client e.g. "myBackendService1"

You can add multiple app clients per user pool, so maybe you already have another one for your SPA frontend or you want to add multiple for different backend services.

Now the important part in the settings of the app client is, that "Generate Client Secret" is enabled- you can´t change that afterwards! enter image description here

Next you need to setup your domain where you can get your token from the endpoint described in the aws docs: enter image description here

Then under "App integration" go to resource servers and add your resource server you want to access (service defined in App Client will be the server who wants to access this resource server after successfull auth) enter image description here Also add some scope here, as it will be needed in the api call (e.g. weather.read as shown in the placeholder)

Now you have everything setup to test your endpoint, e.g. in Postman: enter image description here Check the Headers carefully and also make sure in Body you set these keys: enter image description here For the Authorization Header key make sure to Base64Encode(client_id:client_secret).

And then you should get back a response like this enter image description here

This token you can now verify in your resource server, as described e.g. here: How to verify JWT from AWS Cognito in the API backend? or here: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html

Sebs030
  • 566
  • 2
  • 4
  • 19
1

This applies to hosted UI. I verified and it works.

1) When I auth either google or Cognito with username and password I am redirected to my webpage. Note I use response_type=code and not response_type=token

https://test.auth.us-east-1.amazoncognito.com/login?response_type=code&client_id=3e0\j9m&redirect_uri=http://localhost:4200

2) this is the url after the redirect:

   http://localhost:4200/?code=66dbcb-4ab1-a3c9-]cb7091

3) Here is curl but simply do this in your js code but you first make a request to get the id_oken, access_token, and the refresh token

curl -H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=authorization_code&client_id=3e0duagpcsh2ga6ddn&redirect_uri=http://localhost:4200" \
-X POST https://test.auth.us-east-1.amazoncognito.com/oauth2/token

4) When the tokes are about to expire you make a call to the below.. you will get new id_token and access_token but not a refresh token.

curl -H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=refresh_token&client_id=3e0duagpcsh2dnne5r8j9m&refresh_token=eyJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R....
-X POST https://test.auth.us-east-1.amazoncognito.com/oauth2/token
Tampa
  • 75,446
  • 119
  • 278
  • 425
  • I'm Sorry for just now responding, and thanks for trying, but this wouldn't work in using machine to machine. The redirect is the problem I'm trying to overcome... equally using their library that makes the request cumbersome – KellyTheDev Jul 13 '18 at 03:03
-2

I have discovered that really the only way to do this is to create an API using the AWS Cognito SDK. I've looked at the details of the ETL strategy, and the SDK is the easiest solution.

KellyTheDev
  • 891
  • 2
  • 12
  • 31
  • Could you tell which API specifically? – Deepthi Oct 23 '18 at 13:12
  • Hi @Deepthi, amazon has a slew of variations between their SDKs like Javascript, .NET, Java, etc... These SDKs can be found here: https://aws.amazon.com/tools/. Equally, their documentation describes the process depending on the language SDK you choose. It's quite easy to implement. I would say the trickiest strategy is releated to the _challenges_ when, for example, you need to respond to a force password change during authentication. Hopefully this helps guide you to finding the SDK of your choice. – KellyTheDev Oct 23 '18 at 21:27
  • Thanks for the reply @kellythedev. I found out recently that there is no Java SDK to exchange authorization code for tokens. It's only available for Android, iOs and javascript. – Deepthi Oct 24 '18 at 07:59
  • No, they have one. https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/index.html – KellyTheDev Oct 24 '18 at 14:37
  • I meant, no methods specifically for the purpose to exchanging code for token. Of course there is SDK. Sorry for not being clear. – Deepthi Oct 24 '18 at 14:53