0

I am really struggling to find out an AWS design that allows me:

  • authenticate an entity to cognito using REST (not with AWS sdk libraries)
  • rests api of cognito need to identify the entity and return results according to it. For instance, an api like "getOrders" will return the orders associated with the entity that has log in.

Evaluated solutions:

  • oAuth authentication, with scope, is non solving this scenario. The entity has to be authenticated using appclientId and secret hence it is not clear how to distinguish the entities (it doesn't make sense to me to create an appclient for all the entities that can log in). Indeed here all the entities can call the same api but the result depends on identity itself and not from the scope. Nevertheless, with this design, it is clear how to get the token using rest api.

  • authenticate to cognito using an username and password associated to the entity. In this way, it would be possible to identify the enity, on apigw, and return the results as expected. On this scenario, it is not clear how to get the token using rest apis (and not using the sdk of aws). I have found this post regardless: What is the REST (or CLI) API for logging in to Amazon Cognito user pools

Am I missing some other best options here? It looks to me a very common scenario but I cannot find a decent solution. Can you please advice which authentication mechanism should be used.

Thanks in advance Marco

Marco Sinigaglia
  • 101
  • 1
  • 7

1 Answers1

0

Cognito exposes standard HTTPS endpoints that allow you to perform the sign in and code-to-token exchange bypassing the AWS APIs. It's available as part of the hosted UI. All of the requests are to be performed against your hosted UI domain. There are six available endpoints:

  1. /login This is where you trigger the sing in. You user will end up on your hosted UI page (documentation).

  2. /logout Closes session on hosted UI side (documentation).

  3. /oauth2/authorize Used to obtain JWT tokens usually within web browser (documentation).

  4. /oauth2/token Similar to the one above but used only in back-end (documentation).

  5. /oauth2/userInfo Used to obtain information about the authenticaated user (documentation).

  6. /oauth2/revoke Used to invalidate provided token (documentation).

With the above endpoints you can implement the entire sign in /sign out flow without the need to use the AWS APIs.

Aleksander Wons
  • 3,611
  • 18
  • 29