2

I have a command-line app that I want to authenticate against AWS Cognito using OAuth2 with access code flow and hosted login UI. For the similar case, Google Cloud docs explicitly recommend using http://localhost:N redirect URI, so that the application can handle the access code after authentication:

This authorization flow is similar to the one used for web server applications. The main difference is that installed apps must open the system browser and supply a local redirect URI to handle responses from Google's authorization server.

However, with Cognito localhost URIs are only allowed/recommended for testing purposes:

Cognito App Callback

One alternative solution would be using an "out-of-browser" URI urn:ietf:wg:oauth:2.0:oob to display the access code in the browser and make the user copy-paste it to the app, but Cognito doesn't seem to support it.

Currently I am leaning towards running a custom OAuth2 callback handler that would only tell the user to copy-paste the access code, but I don't find it really friendly from the Cognito side.

So, the question:

  1. What's the recommended way to authenticate desktop / command-line apps with Cognito with minimal user interference?
  2. What can go wrong if I ignore the Cognito's recommendation about the localhost redirect URI?
bereal
  • 32,519
  • 6
  • 58
  • 104

1 Answers1

7

LOOPBACK URI

In a desktop app you can use localhost HTTP URLs to receive the authorization response, and that is one valid technique.

The Cognito warning is about using localhost URLs for web app responses, which of course is only suitable for a developer PC. You can ignore the warning when using loopback desktop apps.

OUT OF BROWSER URI

This was used a few years ago to read an authorization response from a web view and is no longer recommended in OAuth for Native Apps.

PRIVATE URI SCHEME

The second valid rechnique is the option I prefer, since it feels more integrated. It involves receiving the authorization response via a URL of the following form, and registering the scheme with the OS to point to your app:

  • com.mycompany.mydesktopapp:/callback

RESOURCES OF MINE

If it helps, I have a couple of desktop samples / blog posts that use Cognito. You can run the samples on your PC, to see which you prefer:

Community
  • 1
  • 1
Gary Archer
  • 22,534
  • 2
  • 12
  • 24
  • Thanks, the private scheme looks like a nice solution if I figure out how to make it cross-platform. As for the loopback URI, when I try setting them in the app client settings, I receive the warning, I updated the question with the screenshot. Am I doing it in a wrong place? – bereal Aug 30 '20 at 14:26
  • Looks fine - loopback URLs have to use localhost - since that's what they are. You can ignore the Cognito warning for desktop apps. My setup is equivalent but involves registering multiple ports in case one is used by another app - see [step 6 of this post](https://authguidance.com/2018/01/17/desktop-app-how-to-run-the-code-sample/). – Gary Archer Aug 30 '20 at 16:43