How to use the code returned from Cognito to get AWS credentials?
Solution 1
you can find the "Authorization code grant" in the doc :http://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-idp-settings.html
Solution 2
First off, screw authentication a thousand times. No one deserves to spend half a day looking at this shit.
Authentication for API Gateway Authorized with Cognito
Ingredients
-
client_id
andclient_secret
: In Cognito > General Settings > App clients you can find the App client id, then click on Show Details to find the App client secret -
For the header
Authorization: Basic YWJjZGVmZzpvMWZjb28zc...
you need to encode those two with:Base64Encode(client_id:client_secret)
, for example in Python:import base64 base64.b64encode('qcbstohg3o:alksjdlkjdasdksd')`
side note: Postman also has an option to generate this in Authorization > Basic Auth
-
redirect_uri
: passed in the body, it is the callback url that you configured in App integration > App client settings.
This MUST match with what you configured or you will get a totally unhelpful message{ "error": "invalid_grant" }
Example of a request to get a token from the code:
curl --location --request POST 'https://mycognitodomain.auth.us-east-1.amazoncognito.com/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic <base64 encoded client_id:client_secret>' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'client_id=<client_id>' \
--data-urlencode 'code=<use the code you received post login>' \
--data-urlencode 'redirect_uri=https://myapp.com'
This will return your tokens:
{
"access_token":"eyJz9sdfsdfsdfsd",
"refresh_token":"dn43ud8uj32nk2je",
"id_token":"dmcxd329ujdmkemkd349r",
"token_type":"Bearer",
"expires_in":3600
}
Then take the id_token
and plug into your API call:
curl --location --request GET 'https://myapigateway.execute-api.us-east-1.amazonaws.com/' \
--header 'Authorization: <id_token>'
Ok, this is tagged as JavaScript but since we also suffer in Python
Friendly reminder: this is an example, please don't hardcode your secrets.
import requests
# In: General Settings > App clients > Show details
client_id = "ksjahdskaLAJS ..."
client_secret = "dssaKJHSAKJHDSsjdhksjHSKJDskdjhsa..."
# URL in your application that receives the code post-authentication
# (Cognito lets you use localhost for testing purposes)
callback_uri = "http://localhost:8001/accounts/amazon-cognito/login/callback/"
# Find this in: App Integration > Domain
cognito_app_url = "https://my-application-name.auth.us-west-2.amazoncognito.com"
# this is the response code you received - you can get a code to test by going to
# going to App Integration > App client settings > Lunch Hosted UI
# and doing the login steps, even if it redirects you to an invalid URL after login
# you can see the code in the querystring, for example:
# http://localhost:8001/accounts/amazon-cognito/login/callback/?code=b2ca649e-b34a-44a7-be1a-121882e27fe6
code="b2ca649e-b34a-44a7-be1a-121882e27fe6"
token_url = f"{cognito_app_url}/oauth2/token"
auth = requests.auth.HTTPBasicAuth(client_id, client_secret)
params = {
"grant_type": "authorization_code",
"client_id": client_id,
"code": code,
"redirect_uri": callback_uri
}
response = requests.post(token_url, auth=auth, data=params)
print(response.json()) # don't judge me, this is an example
Solution 3
To fetch AWS credentials (id_token, access_token and refresh_token) from the code request parameter returned by the authorisation code oath2 flow, you should use your Cognito User Pool web domain /oauth2/token
endpoint, following https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html instructions.
Pay attention to the HTTP Basic Authorisation user and password instructions, it should be your Cognito App client_id
and client_secret
, otherwise, you get a invalid_client
error.
The code flow is supposed to be used server side, as you avoid tokens floating around on URLs. If you're planning to do that client side, you should use the response_type=token
, as it gives this result directly on the login redirect.
Solution 4
Not sure if this is going to be useful 10 months from since it was asked but might be helpful to others.
I have used response_type=token
(Oauth flow=implicit grant
& scope=openid
) & provider as Cognito
. After you login using the default login page, you will get an id_token
& access_token
. You can get a temporary identity for your user using this id_token
. You also need to have an Federated identity pool setup for this, with roles assigned for authenticated & unauthenticated users, and linked to the user pool you are authenticating with. Once you have that (assuming you are using javascript), you can follow example at Cognito user identity pools javascript examples. My sample code derived from the same -
function getAccessToken(idToken, identityPoolId, userPool) {
let provider = "cognito-idp.us-east-2.amazonaws.com/" + userPool;
let login = {};
login[provider] = idToken;
// Add the User's Id Token to the Cognito credentials login map.
let credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: identityPoolId,
Logins: login
});
//call refresh method in order to authenticate user and get new temp credentials
credentials.get((error) => {
if (error) {
console.error(error);
let response = {
statusCode: 500,
body: JSON.stringify(error)
};
return response;
} else {
console.log('Successfully logged!');
console.log('AKI:'+ credentials.accessKeyId);
console.log('AKS:'+ credentials.secretAccessKey);
console.log('token:' + credentials.sessionToken);
let response = {
statusCode: 200,
body: JSON.stringify({
'AKI': credentials.accessKeyId,
'AKS': credentials.secretAccessKey,
'token': credentials.sessionToken
})
};
return response;
}
});
}
Hope this helps.
Comments
-
arjabbar almost 2 years
Right now, I'm struggling to understand AWS Cognito so maybe someone could help me out. I set a domain to serve Cognito's hosted UI for my User Pool like what's described here. So when I go to
https://<my-domain>.auth.us-east-1.amazoncognito.com/login?response_type=code&client_id=<MY_POOL_CLIENT_ID>&redirect_uri=https://localhost:8080
I get a login page where my users can login to my app with Google. That part is working great.I confused about what to do with the code that is returned from that page once my user logs in. So once I get redirected to Google and authorize the application to view my information, I get redirected back to one of my URLs with a code in the query params. Right now I'm redirecting to localhost, so the redirect URL look like this:
https://localhost:8080/?code=XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX
What exactly is this code? Also, how do I use it to get access to AWS resources for my user?
-
arjabbar over 6 yearsHmm, I did read that and see how to use that endpoint described here: docs.aws.amazon.com/cognito/latest/developerguide/…. I guess I assumed there was something built into the SDKs that would handle this for me. So what I'm hearing basically is that I should stick to using the
response_type=code
query param for my login page. Using that places the tokens in the URL once the user gets directed. It appears it's either that or I have to make the request for the tokens myself. Does this seem right to you? -
arjabbar over 6 yearsWhat I meant to say was "I should stick to using the
response_type=token
" -
JoshNaro over 6 yearsI'm still confused with the docs. Can I exchange that code with a token somehow? It seems to me the terminology is switching up in the docs. What method in the SDK do I call with the "code" to get user info?
-
Pablo Barría Urenda almost 6 yearsHi, I'm having the same issue, and I wanted to ask what do you mean by "default login". Is it the domain provided by AWS? Because it seems you can only use that website if you select "Authorization code grant" as your OAuth flow (which means, if I'm understanding this correctly, you will get a code and not a token).
-
asr9 almost 6 yearsYes, the login URL you get (or create based on format) when you configure a domain on Cognito. It works with
implicit grant
as well. This is one which works for me -https://exampledomain.auth.us-east-2.amazoncognito.com/login?response_type=token&client_id=xxxxx&redirect_uri=http://localhost/portal.html
-
The Unknown Dev about 5 yearsHow do you set the
response_type
totoken
for the redirect URL in the Cognito User Pool? -
Marcio Ghiraldelli about 5 yearsThe
response_type
shouldn't be set in the redirect URL, but in the initial URL request. See my cognito example application github.com/marciogh/my-react-dropbox/blob/master/react/src/… -
Day.ong Li almost 3 yearsSuper clear explanation. The confusing part in the original manual is how to build the Authorization in step #2.
-
Nate-Wilkins almost 3 yearsReally clean clear answer. I'm a little confused on where the
<use the code you received post login>
comes from? I'm guessing this comes from the first redirect to the "server" side that would then use the following. (ie https://<your_domain>.auth.us-east-2.amazoncognito.com/login?response_type=code&client_id=<client_id>&redirect_uri=<redirect_uri_server>) -
Jade M almost 3 yearsYes, after you go through the login page, it will redirect to the
redirect_uri
with a code parameter, something like:http://<your_application_url>/?code=<THIS_CODE>&state=AbcDefgh
-
Daniel over 2 yearsGetting an
{"error":"invalid_request"}
message - any way to figure out what is going on? -
Jade M over 2 years@Daniel I HATE how bad the return codes are with Cognito, it's really hard to find what's wrong! Most commonly it's routes that are not matching, check in your App Client settings if the callback routes match exactly with routes that are available in your application and check if your application is pointing to the right Cognito route.
-
Daniel over 2 yearsdouble checked it and i was missing the key
redirect_uri
- but now im slapped with{"error":"invalid_grant"}
- should the redirect uri be the full url in the Callback URL(s) section of the app client? -
Daniel over 2 yearsActually - it looked like the "code" expired - I logged in again, got a new code, and got back a response - thanks very much for your help!
-
Daniel over 2 years@bubbassauro - is there any way to convert this to a python request?
-
fblundun over 2 yearsOne more gotcha: if you configure multiple callback uris in your app client settings, then it seems that the one you use as the redirect_uri in the /oauth2/token request must match the one that you originally used to obtain the authorization code.
-
saintlyzero almost 2 yearsI was stuck at
{"error":"invalid_request"}
. I then figured out that the request body should not be JSON, rather it is query param -_-