Reputation: 901
How would I get Tokens from AWS Cognito Api for machine to machine
I am attempting to get a token via the Cognito API, and failing. I've read through their site, and I'm having a difficult time through their vague examples.
My goal is to have a 3rd part service run monitoring test on an api, which requires it to authenticate and get an identity token and an access token. I am using the yes/no portion of Cognito, which are the User Pools (the simplest of the bunch).
From looking at the documentation, https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-reference.html, I'm not quite understanding the flow.
If I examine the authorize endpoint, it will, using the http GET method, access a UI for an individual to manually enter the information. (doc: https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html)
looking at the token endpoint, it seems like I might be able to do a machine to machine, but it starts to get odd as the documentation, https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html, states I need to get an authentication code, which circles back to the previous paragraph I wrote about the authorize endpoint.
Thanks, Kelly
Upvotes: 4
Views: 5230
Answers (3)
Reputation: 616
Answer is a bit late, but had the same question recently. There is actually some documentation available for this use case, but it´s maybe not complete. So what we are looking for is this: https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html
To get this working you need - after having setup a User Pool - to add an app client for your server to server connection. In the User Pool go to App clients 
and add an app client e.g. "myBackendService1"
You can add multiple app clients per user pool, so maybe you already have another one for your SPA frontend or you want to add multiple for different backend services.
Now the important part in the settings of the app client is, that "Generate Client Secret" is enabled- you can´t change that afterwards! 
Next you need to setup your domain where you can get your token from the endpoint described in the aws docs: 
Then under "App integration" go to resource servers and add your resource server you want to access (service defined in App Client will be the server who wants to access this resource server after successfull auth)
Also add some scope here, as it will be needed in the api call (e.g. weather.read as shown in the placeholder)
Now you have everything setup to test your endpoint, e.g. in Postman:
Check the Headers carefully and also make sure in Body you set these keys:
For the Authorization Header key make sure to Base64Encode(client_id:client_secret).
And then you should get back a response like this 
This token you can now verify in your resource server, as described e.g. here: How to verify JWT from AWS Cognito in the API backend? or here: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html
Upvotes: 3
Reputation: 901
I have discovered that really the only way to do this is to create an API using the AWS Cognito SDK. I've looked at the details of the ETL strategy, and the SDK is the easiest solution.
Upvotes: -2
Reputation: 78352
This applies to hosted UI. I verified and it works.
1) When I auth either google or Cognito with username and password I am redirected to my webpage. Note I use response_type=code and not response_type=token
https://test.auth.us-east-1.amazoncognito.com/login?response_type=code&client_id=3e0\j9m&redirect_uri=http://localhost:4200
2) this is the url after the redirect:
http://localhost:4200/?code=66dbcb-4ab1-a3c9-]cb7091
3) Here is curl but simply do this in your js code but you first make a request to get the id_oken, access_token, and the refresh token
curl -H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=authorization_code&client_id=3e0duagpcsh2ga6ddn&redirect_uri=http://localhost:4200" \
-X POST https://test.auth.us-east-1.amazoncognito.com/oauth2/token
4) When the tokes are about to expire you make a call to the below.. you will get new id_token and access_token but not a refresh token.
curl -H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=refresh_token&client_id=3e0duagpcsh2dnne5r8j9m&refresh_token=eyJjdHkiOiJKV1QiLCJlbmMiOiJBMjU2R....
-X POST https://test.auth.us-east-1.amazoncognito.com/oauth2/token
Upvotes: 1
Related Questions
- aws cognito get jwt token in single api call
- How to verify AWS Cognito Access Token on NodeJS
- How to write code to get the AWS cognito access token?
- How to get access token in AWS Cognito if using Browser based Javascript SDK?
- AWS Cognito Access Tokens Javascript
- How to use AWS Cognito to authenticate API Gateway
- How to get new token from Cognito from the frontend?
- AWS Cognito Rest API to get the token
- How to authenticate a cognito user with access token and id token
- How do I use a Cognito token with API?