How to use the code returned from Cognito to get AWS credentials?

javascript amazon-web-services aws-sdk amazon-cognito aws-cognito

16,130

Solution 1

you can find the "Authorization code grant" in the doc :http://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-idp-settings.html

Solution 2

First off, screw authentication a thousand times. No one deserves to spend half a day looking at this shit.

Authentication for API Gateway Authorized with Cognito

Ingredients

client_id and client_secret: In Cognito > General Settings > App clients you can find the App client id, then click on Show Details to find the App client secret
For the header Authorization: Basic YWJjZGVmZzpvMWZjb28zc... you need to encode those two with: Base64Encode(client_id:client_secret), for example in Python:
```
import base64  
base64.b64encode('qcbstohg3o:alksjdlkjdasdksd')`  
```
side note: Postman also has an option to generate this in Authorization > Basic Auth
redirect_uri: passed in the body, it is the callback url that you configured in App integration > App client settings.
This MUST match with what you configured or you will get a totally unhelpful message { "error": "invalid_grant" }

Example of a request to get a token from the code:

curl --location --request POST 'https://mycognitodomain.auth.us-east-1.amazoncognito.com/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic <base64 encoded client_id:client_secret>' \
--data-urlencode 'grant_type=authorization_code' \
--data-urlencode 'client_id=<client_id>' \
--data-urlencode 'code=<use the code you received post login>' \
--data-urlencode 'redirect_uri=https://myapp.com'

This will return your tokens:

{
  "access_token":"eyJz9sdfsdfsdfsd", 
  "refresh_token":"dn43ud8uj32nk2je",
  "id_token":"dmcxd329ujdmkemkd349r",
  "token_type":"Bearer", 
  "expires_in":3600
}

Then take the id_token and plug into your API call:

curl --location --request GET 'https://myapigateway.execute-api.us-east-1.amazonaws.com/' \
--header 'Authorization: <id_token>'

Ok, this is tagged as JavaScript but since we also suffer in Python

Friendly reminder: this is an example, please don't hardcode your secrets.

import requests

# In: General Settings > App clients > Show details
client_id = "ksjahdskaLAJS ..."
client_secret = "dssaKJHSAKJHDSsjdhksjHSKJDskdjhsa..."

# URL in your application that receives the code post-authentication
# (Cognito lets you use localhost for testing purposes)
callback_uri = "http://localhost:8001/accounts/amazon-cognito/login/callback/"

# Find this in: App Integration > Domain
cognito_app_url = "https://my-application-name.auth.us-west-2.amazoncognito.com"

# this is the response code you received - you can get a code to test by going to
# going to App Integration > App client settings > Lunch Hosted UI
# and doing the login steps, even if it redirects you to an invalid URL after login
# you can see the code in the querystring, for example:
# http://localhost:8001/accounts/amazon-cognito/login/callback/?code=b2ca649e-b34a-44a7-be1a-121882e27fe6
code="b2ca649e-b34a-44a7-be1a-121882e27fe6"

token_url = f"{cognito_app_url}/oauth2/token"
auth = requests.auth.HTTPBasicAuth(client_id, client_secret)

params = {
    "grant_type": "authorization_code",
    "client_id": client_id,
    "code": code,
    "redirect_uri": callback_uri
}

response = requests.post(token_url, auth=auth, data=params)

print(response.json()) # don't judge me, this is an example

Solution 3

To fetch AWS credentials (id_token, access_token and refresh_token) from the code request parameter returned by the authorisation code oath2 flow, you should use your Cognito User Pool web domain /oauth2/token endpoint, following https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html instructions.

Pay attention to the HTTP Basic Authorisation user and password instructions, it should be your Cognito App client_id and client_secret, otherwise, you get a invalid_client error.

The code flow is supposed to be used server side, as you avoid tokens floating around on URLs. If you're planning to do that client side, you should use the response_type=token, as it gives this result directly on the login redirect.

Solution 4

Not sure if this is going to be useful 10 months from since it was asked but might be helpful to others.

I have used response_type=token (Oauth flow=implicit grant & scope=openid) & provider as Cognito. After you login using the default login page, you will get an id_token & access_token. You can get a temporary identity for your user using this id_token. You also need to have an Federated identity pool setup for this, with roles assigned for authenticated & unauthenticated users, and linked to the user pool you are authenticating with. Once you have that (assuming you are using javascript), you can follow example at Cognito user identity pools javascript examples. My sample code derived from the same -

function getAccessToken(idToken, identityPoolId, userPool) {
        let provider = "cognito-idp.us-east-2.amazonaws.com/" + userPool;
        let login = {};

        login[provider] = idToken;

        // Add the User's Id Token to the Cognito credentials login map.
        let credentials = new AWS.CognitoIdentityCredentials({
            IdentityPoolId: identityPoolId,
            Logins: login
        });

        //call refresh method in order to authenticate user and get new temp credentials
        credentials.get((error) => {
            if (error) {
                console.error(error);

                let response = {
                    statusCode: 500,
                    body: JSON.stringify(error)
                };

                return response;

            } else {
                console.log('Successfully logged!');
                console.log('AKI:'+ credentials.accessKeyId);
                console.log('AKS:'+ credentials.secretAccessKey);
                console.log('token:' + credentials.sessionToken);

                let response = {
                    statusCode: 200,
                    body: JSON.stringify({
                        'AKI': credentials.accessKeyId,
                        'AKS': credentials.secretAccessKey,
                        'token': credentials.sessionToken
                    })
                };

                return response;
            }
        });
    }

Hope this helps.

View more solutions

16,130

Author by

arjabbar

Senior Software Engineer Engineer at Olo.

Updated on June 07, 2022

Comments

arjabbar almost 2 years

Right now, I'm struggling to understand AWS Cognito so maybe someone could help me out. I set a domain to serve Cognito's hosted UI for my User Pool like what's described here. So when I go to https://<my-domain>.auth.us-east-1.amazoncognito.com/login?response_type=code&client_id=<MY_POOL_CLIENT_ID>&redirect_uri=https://localhost:8080 I get a login page where my users can login to my app with Google. That part is working great.

I confused about what to do with the code that is returned from that page once my user logs in. So once I get redirected to Google and authorize the application to view my information, I get redirected back to one of my URLs with a code in the query params. Right now I'm redirecting to localhost, so the redirect URL look like this:

https://localhost:8080/?code=XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX

What exactly is this code? Also, how do I use it to get access to AWS resources for my user?
arjabbar over 6 years

Hmm, I did read that and see how to use that endpoint described here: docs.aws.amazon.com/cognito/latest/developerguide/…. I guess I assumed there was something built into the SDKs that would handle this for me. So what I'm hearing basically is that I should stick to using the response_type=code query param for my login page. Using that places the tokens in the URL once the user gets directed. It appears it's either that or I have to make the request for the tokens myself. Does this seem right to you?
arjabbar over 6 years

What I meant to say was "I should stick to using the response_type=token"
JoshNaro over 6 years

I'm still confused with the docs. Can I exchange that code with a token somehow? It seems to me the terminology is switching up in the docs. What method in the SDK do I call with the "code" to get user info?
Pablo Barría Urenda almost 6 years

Hi, I'm having the same issue, and I wanted to ask what do you mean by "default login". Is it the domain provided by AWS? Because it seems you can only use that website if you select "Authorization code grant" as your OAuth flow (which means, if I'm understanding this correctly, you will get a code and not a token).
asr9 almost 6 years

Yes, the login URL you get (or create based on format) when you configure a domain on Cognito. It works with implicit grant as well. This is one which works for me - https://exampledomain.auth.us-east-2.amazoncognito.com/login‌?response_type=token‌&client_id=xxxxx&red‌irect_uri=http://loc‌alhost/portal.html
The Unknown Dev about 5 years

How do you set the response_type to token for the redirect URL in the Cognito User Pool?
Marcio Ghiraldelli about 5 years

The response_type shouldn't be set in the redirect URL, but in the initial URL request. See my cognito example application github.com/marciogh/my-react-dropbox/blob/master/react/src/…
Day.ong Li almost 3 years

Super clear explanation. The confusing part in the original manual is how to build the Authorization in step #2.
Nate-Wilkins almost 3 years

Really clean clear answer. I'm a little confused on where the <use the code you received post login> comes from? I'm guessing this comes from the first redirect to the "server" side that would then use the following. (ie https://<your_domain>.auth.us-east-2.amazoncognito.com/login‌?response_type=code&‌client_id=<client_id‌>&redirect_uri=<redi‌rect_uri_server>)
Jade M almost 3 years

Yes, after you go through the login page, it will redirect to the redirect_uri with a code parameter, something like: http://<your_application_url>/?code=<THIS_CODE>&state=AbcDef‌gh
Daniel over 2 years

Getting an {"error":"invalid_request"} message - any way to figure out what is going on?
Jade M over 2 years

@Daniel I HATE how bad the return codes are with Cognito, it's really hard to find what's wrong! Most commonly it's routes that are not matching, check in your App Client settings if the callback routes match exactly with routes that are available in your application and check if your application is pointing to the right Cognito route.
Daniel over 2 years

double checked it and i was missing the key redirect_uri - but now im slapped with {"error":"invalid_grant"} - should the redirect uri be the full url in the Callback URL(s) section of the app client?
Daniel over 2 years

Actually - it looked like the "code" expired - I logged in again, got a new code, and got back a response - thanks very much for your help!
Daniel over 2 years

@bubbassauro - is there any way to convert this to a python request?
fblundun over 2 years

One more gotcha: if you configure multiple callback uris in your app client settings, then it seems that the one you use as the redirect_uri in the /oauth2/token request must match the one that you originally used to obtain the authorization code.
saintlyzero almost 2 years

I was stuck at {"error":"invalid_request"}. I then figured out that the request body should not be JSON, rather it is query param -_-