4

I am trying to use AWS Cognito to authenticate (using Google) and authorise users, with the intention of assigning IAM roles for the authorised users.

I have followed the below steps till now

  1. Use the authorization end point to fire up Google OAuth process http://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html

    I am using "Grant flow" I receive a such as code=b3e8bca6-5a01-45db-b4c6-cd6900d0xxxx

  2. Make a post request to oath/token http://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html

    I receive the following information:

    "id_token": "eyJraWQiOiJJR2NVdHJcL3pOa3pQK1lre...........",
"access_token": "eyJraWQiOiJCbWx0cjJvMnJlVGhHW..........",
"refresh_token": "eyJjdHkiOiJKV1QiLCJlbmMiOi............",
"expires_in": 3600,
"token_type": "Bearer"

  3. Try to fetch the AWS credntions using the CognitoIdentityCredentials

    AWS.config.credentials = new AWS.CognitoIdentityCredentials({
    IdentityPoolId: environment.identityPoolId, // Federated ID eu-west-2:af47703f-350c-4018-ae6a-xxxxxx
    RoleArn: environment.roleArn,// IAM role
    Logins: { 'accounts.google.com': data.id_token },
});

AWS.config.getCredentials((error) => {
    if(error) console.log("Error: ", error);
    this.creds = AWS.config.credentials;
});

I get a bad request 500 error

{"__type":"NotAuthorizedException","message":"Invalid login token. Issuer doesn't match providerName"}

Couple of questions

  1. Is the sequence of steps followed correct?
  2. How to I get a CongnitoUserId ? id_token is a very long string, but not sure what information can I extract from it?
  3. Finally how to I get accessKey to make AWS calls?

Any help or direction will be much appreciated.

Thanks

iSkore
  • 7,394
  • 3
  • 34
  • 59
maxkart
  • 619
  • 5
  • 21

1 Answers1

4

Is the sequence of steps followed correct?

I believe so.

id_token is a very long string, but not sure what information can I extract from it?

Both the id_token and access_token are JWTs. You can base64 decode the strings in between the dots to extract the token's contents. Typically we're concerned with the middle section, or payload.

You can paste these tokens into a decoder like this one, and view the contents in your browser. In javascript, atob() works as you'd expect.

I'm not sure what user id you're after, but if the username suffices, the id_token contains a cognito:username key.

Finally how to I get accessKey to make AWS calls?

Change the provider in your Logins map.

If you were talking directly to Google, as opposed to talking to Google through Cognito (via /oauth2/authorize), you would use accounts.google.com in the Logins map as your example shows.

However, the tokens you're getting back are from Cognito, not from Google. Both tokens contain an iss (issuer) key, which is (most likely) your User Pool Id. This is the value you should use in the Logins map. Assuming the issuer is your User Pool:

Logins: {
    'cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxx': token
}
Mike Patrick
  • 10,699
  • 1
  • 32
  • 54
  • Thanks !! I am able to decode the token and have corrected the Logins map using the iss key mentioned above but I still get the same error message {"__type":"NotAuthorizedException","message":"Invalid login token. Issuer doesn't match providerName"}. By "token" in the Login maps I assume you are referring to id_token. – maxkart Dec 28 '17 at 23:28
  • Below are my id_token details "identities": [ { "userId": "1068...", "providerName": "Google", "providerType": "Google", "issuer": null, // << Is the issue and provider mismatch because of this ?? "primary": "true", } ], – maxkart Dec 28 '17 at 23:35
  • 1
    Thanks ! Finally managed to get it working, I had to strip out https:// from the iss key. – maxkart Dec 29 '17 at 09:00
  • @maxkart which token do you use for `data.id_token` ? – Teddy Kossoko Jul 20 '21 at 21:16
  • 1
    @TeddyKossoko i don't understand your questions,.. there are three tokens id, access and refresh .. i used id for user details and access for authorization – maxkart Jul 21 '21 at 04:50