4

What I have done so far?

I have integrated Microsoft AD with AWS Cognito by adding Trust relationships and setting Cognito Identity provider. In this, I have set up an app domain prefix during Cognito set up. By using the following URL I am able to receive the token by logging in the AD login page. So when I decode this token I getting the required attributes and other information.

What I actually want?

So I don't want my users to be redirected to the AD login page and later to the application. I need just a REST API where I can provide the AD user credentials and this API will return the above JWT token which has all the information. So in short, I want to get the Cognito JWT token by using the AD user credentials. These users are the part of AD groups which are linked to the AWS IAM by adding trust relationship using ADFS. So is there a way in which I don't need to use the Cognito hosted UI. Instead, my users will hit one API and get the credentials. I don't know what this API is.

Any help will be appreciated.

pravindot17
  • 1,199
  • 1
  • 15
  • 32
  • 1
    I don't believe AWS has a password/username flow per the AWS docs. But what you could do is setup SAML Auth between the two per the blog : https://aws.amazon.com/blogs/security/enabling-federation-to-aws-using-windows-active-directory-adfs-and-saml-2-0/ And you can get a SAML token with a username/password using WCF and WS Trust https://leastprivilege.com/2012/11/16/wcf-and-identity-in-net-4-5-external-authentication-with-ws-trust/ Although this would be an extreme amount of work to actually do as it would require doing it from the ground up in your environment. – Frank H Jul 17 '19 at 01:43
  • I'm building something similar but couldn't find a way to achieve this. Have you got it sorted eventually? – jiaoziren Apr 15 '20 at 23:54
  • I find out keycloak is better option for this flow. https://www.keycloak.org/ – pravindot17 Apr 16 '20 at 03:12

1 Answers1

7

I am in the same dilemma myself, but I've found a very useful question (with answers) that might help you out. It's been some time but maybe this will be useful for new people having the same problem nowadays.

What is the REST (or CLI) API for logging in to Amazon Cognito user pools

I think you'd want to enable the ClientCredentials flow in your cognito user pool. You can read more on this flow here https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/ to make sure it is what you need (oauth flows and grants are the same thing).

Natalia Cáceres
  • 313
  • 3
  • 8