AWS Cognito Access Tokens Javascript

Question

I am using account linking with Alexa and getting an accessToken back. I am authenticating using AWS Cognito. My assumption is that accessToken is the token for AWS Cognito - but how do I use it? I need to get the CognitoUser information. I've seen examples using the Facebook SDK and it's stupid simple to say Fb.setToken(accessToken), but I can't find the equivalent for Cognito. What am I missing?!

Answer 1

I'm a little late but you can get the AWS Cognito JSON Web Token (JWT) response from the URL and decode them to get user data as such:

$( document ).ready(function() {


    var pageURL = window.location.href;
    pageURL = pageURL.toString();

    // Gets url strings
    var paramIndex = pageURL.indexOf("#"); // When page is hosted on the web, use '?'
    if (paramIndex === -1) {
        return;
    }
    // Gets url parameters from AWS Cognito response including the 'access token'
    var parameters = pageURL.substring(paramIndex + 1);

    console.log(" page url: " + pageURL);
    console.log(" url parameters: " + parameters);

    // Extracts the encoded tokens from url parameters
    var idToken = getParameter(parameters, "id_token=");
    var accessToken = getParameter(parameters, "access_token=");
    console.log("id token: " + idToken);
    console.log("access token: " + accessToken);

    // Decodes the tokens
    var idTokenDecoded = atob(idToken.split('.')[1]);
    var accessTokenDecoded = atob(accessToken.split('.')[1]);
    console.log("id token decoded: " + idTokenDecoded);
    console.log("access token decoded: " + accessTokenDecoded);

    // Converts string tokens to JSON
    var idTokenJson = JSON.parse(idTokenDecoded);
    var accessTokenJson = JSON.parse(accessTokenDecoded);

    // Can now access the fields as such using the JSON.parse()
    console.log("email: " + idTokenJson.email);
    console.log("id: " + idTokenJson.sub);
});

/**
 * Takes the url parameters and extracts the field that matches the "param" 
 * input.
 * @param {type} url, contains URL parameters
 * @param {type} param, field to look for in url
 * @returns {unresolved} the param value.
 */
function getParameter(url, param) {
    var urlVars = url.split('&');
    var returnValue;
    for (var i = 0; i < urlVars.length; i++) {
        var urlParam = urlVars[i];

        // get up to index.
        var index = urlParam.toString().indexOf("=");
        urlParam = urlParam.substring(0, index + 1);
        if (param === urlParam) {
            returnValue = urlVars[i].replace(param, "");
            i = urlVars.length; // exits for loop
        }
    }
    return returnValue;
}

Answer 2

AWS Cognito User Pool generates id token and access token for authentication mechanism. Both of them are jwt tokens and id token has user attributes like username,email,family name. You can use id or access token for authenticate users.

Related links: First Link ,Second Link

Answer 3

Just decode the Cognito access token in your Alexa skill Lambda function.

https://github.com/awslabs/aws-support-tools/tree/master/Cognito/decode-verify-jwt

I addition you can add attributes to that jwt token on user authentication by making use of the Pre Token Generation Lambda trigger:

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html

Answer 4

this is my authentication flow, using cognito only, works fine for me:

  var authenticationData = {
    Username: document.getElementById("user").value,
    Password: document.getElementById("password").value
  };

  var authenticationDetails = new AmazonCognitoIdentity.AuthenticationDetails(authenticationData);

  var poolData = {
    UserPoolId: AWSConfiguration.UserPoolId,
    ClientId: AWSConfiguration.ClientAppId
  };

  userPool = new AmazonCognitoIdentity.CognitoUserPool(poolData);

  var userData = {
    Username: document.getElementById("user").value,
    Pool: userPool
  };

  var cognitoUser = new AmazonCognitoIdentity.CognitoUser(userData);

  cognitoUser.authenticateUser(authenticationDetails, {

  // authenticate here