2

I am using Amazon Congito's Hosted UI. The redirect uri I set is:

https://example.com/redirect_endpoint

But, that endpoint is authenticated. So, I want the hosted UI to send the id_token to that redirect URI as part of its Authorization header

Is there a way to tell AWS Cognito's hosted UI to send that id_token as part of its Authorization header? In other words, can I make the redirect_uri authenticated?

AlwaysQuestioning
  • 1,464
  • 4
  • 24
  • 48

1 Answers1

0

You can use the implicit grant flow, the id and access tokens will be sent as query parameters. So, if the authentication of the authenticated uri is in your control you can read tokens from query string. You can set it under userpool/app client settings/ oauth 2.0.

option 1 - redirect to a common page or a home page and then call the authenticated uri from there. In this case you can use the authorization grant flow which is more secure and recommended approach from aws.

option 2 - using custom lambda authorizer for the api gateway and select lambda event payload as REQUEST. Now you can pass the query string token to lambda authorizer where you can check its signature and expiry

e21
  • 44
  • 1
  • 5
  • Unfortunately the authentication is done via API Gateway, which reads it from the "Authorizer" header. I feared I had to create the common page where I can then set the cookie. I'll try that. Thank you for the response, please stay tuned here :) – AlwaysQuestioning Apr 19 '21 at 16:47
  • To be clear, is there any way I can move the id_token from the query parameter to an HTTP header (Authorization: Bearer ____) in the redirect via Cognito's hosted UI? – AlwaysQuestioning Apr 19 '21 at 16:48
  • 1
    another way is with custom lambda authorizer for the api gateway and select lambda event payload as REQUEST. Now you can pass the query string token to lambda authorizer where you can check its signature and expiry. – e21 Apr 20 '21 at 04:57
  • Interesting. So I would make that lambda have its own custom authorizer based on the GET request. – AlwaysQuestioning Apr 20 '21 at 13:52
  • 1
    Yes, you can either authorize all your requests using this custom authorizer or use it only for a specific endpoint. These custom authorizers are useful if you want to enable api access based on groups of users etc (cognito does not support that) – e21 Apr 20 '21 at 16:33
  • Thank you! On a similar subject, do you know if any CDN exists for the cognito auth endpoints? It seems like I either have to use the hosted UI, or build a react app just to use the AWS Amplify libraries. I'd really just like standard javascript functions (packaged in a CDN) rather than having to use a full react framework for authentication/signup/2FA endpoints. – AlwaysQuestioning Apr 20 '21 at 18:25
  • I am not aware of a cdn for amlify. We are using a vuejs app. – e21 Apr 21 '21 at 08:53
  • Hosted UI would be the best approach if you have a simple 2 FA flow ( only SMS and TOTP supported ). If you need to customize the 2FA then you cannot use the hosted UI. I have updated the answer, you can mark it if that answers your original question. Let me know if you have any other questions.. – e21 Apr 21 '21 at 09:00