3

I know of two ways to authenticate as a user and obtain the access token, one is through the Hosted UI and another with various provided SDKs.

What I'm looking for is an endpoint obtain the access token directly with user credentials. 

POST https://that-special-endpoint.com/login
{
 username: "example@email.com",
 password: "Abc123456",
 ...client ID, etc.
}

I've searched for some time but could not find how to do this. Is this not possible due to some security concerns that I'm not aware of?

I did consider creating a Lambda API and make use of the Cognito SDK to cater for my use case but I'm not sure if it's advisable...

daisura99
  • 1,030
  • 1
  • 12
  • 22

1 Answers1

7

Similar question is answered here. You can access https://cognito-idp.[region].amazonaws.com/ to call InitiateAuth and RespondToAuthChallenge APIs.

InitiateAuth

  1. Create a json file, aws-auth-data.json
{
    "AuthParameters": {
        "USERNAME": "your-email@example.com",
        "PASSWORD": "your-first-password",
        "SECRET_HASH": "......(required if the app client is configured with a client secret)"
    },
    "AuthFlow": "USER_PASSWORD_AUTH",
    "ClientId": "5m........................"
}
  1. Send a request on https://cognito-idp.us-east-2.amazonaws.com/ (if the user pool is on us-east-2 region) to call InitiateAuth API and initiate an authentication flow.
curl -X POST --data @aws-auth-data.json \
-H 'X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth' \
-H 'Content-Type: application/x-amz-json-1.1' \
https://cognito-idp.us-east-2.amazonaws.com/
  1. Then you'll get the user's tokens.
{
    "AuthenticationResult": {
        "AccessToken": "eyJra........",
        "ExpiresIn": 3600,
        "IdToken": "eyJra........",
        "RefreshToken": "eyJjd........",
        "TokenType": "Bearer"
    },
    "ChallengeParameters": {}
}

RespondToAuthChallenge

You may get a challenge as InitiateAuth response. For example, you will be asked to change password when you make a first 'InitiateAuth' attempt:

{
    "ChallengeName": "NEW_PASSWORD_REQUIRED",
    "ChallengeParameters": {
        "USER_ID_FOR_SRP": "abababab-......",
        "requiredAttributes": "[]",
        "userAttributes": "{\"email_verified\":\"true\",\"email\":\"your-email@example.com\"}"
    },
    "Session": "DNdY......"
}

In this case, change the password with RespondToAuthChallenge and you will get tokens.

{
    "ChallengeName": "NEW_PASSWORD_REQUIRED",
    "ChallengeResponses": {
        "USERNAME": "your-email@example.com",
        "NEW_PASSWORD": "your-second-password"
    },
    "ClientId": "5m........................",
    "Session": "DNdYN...(what you got in the preceding response)"
}

curl -X POST --data @aws-change-password.json \
-H 'X-Amz-Target: AWSCognitoIdentityProviderService.RespondToAuthChallenge' \
-H 'Content-Type: application/x-amz-json-1.1' \
https://cognito-idp.us-east-2.amazonaws.com/

See also:

https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html

https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html

https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#amazon-cognito-user-pools-client-side-authentication-flow

shoek
  • 380
  • 2
  • 9
  • quoting the docs, ... _the client credentials grant is typically intended to provide credentials to an application in order to authorize machine-to-machine requests._ and from the request body, there doesn't seem to be any input tying to the end user. So how is the token supposed to identify the user? – daisura99 May 01 '20 at 02:30
  • @daisura99 I said "Try Client credentials grant on TOKEN Endpoint" but I'm sorry, I had a wrong idea on your question. Let me rewrite the whole answer. – shoek May 01 '20 at 07:48
  • 1
    thanks! You saved my life. I did glance through this documentation before, but I thought it was just another SDK, didn't know one can actually use this API with HTTP REST – daisura99 May 02 '20 at 05:16
  • To add further, it would have been helpful if the [API Reference for Cognito](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/Welcome.html) had something like [CloudWatch](https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/making-api-requests.html#CloudWatch-API-requests-using-post-method)! – daisura99 May 02 '20 at 05:31
  • @shoek : You are a life saver. I was trying to get access from 2 days but none of the documentation worked. You are Gem.. – Raghu Ram Apr 30 '21 at 16:01