1

my application requires an authorization code grant flow integration with Cognito and the website responded to me that Auth-Code accordingly.

https://<poolName>.auth.eu-central-1.amazoncognito.com/login?client_id=<clientID>&response_type=code&scope=email+openid+profile&redirect_uri=<redirectURI>

Now I want to know what email address has logged in. As fas as I understood, this is where I would need the JWT token.

How can I query the email adress of the token I have just received?

Any help is much appreciated!

Frank
  • 780
  • 1
  • 10
  • 22

2 Answers2

3

As I was going through that, actually, I still am. I have talked a lot with Amazon Engineers for past weeks, have done a bunch of research on my own and let me clarify couple of things.

  1. Hosted UI is a way to go if you can accept the limitations. This is after all hosted ui, you can only change that much. BUT (!!!!) and I can not stretch this enough: it works only for simple usage. If you start searching you'll see that it doesn't support CUSTOM_AUTH flows which is extremely useful if you want to implement even something as basic as MFA. So if you dream of Revolut-like login page with just phone number email verification - pity, hosted ui will not help.
  2. Hosted UI is more than just UI! It's a whole server! That's why you can't simply replace it.
  3. Now, as we established what hosted UI can't do. What are the alternatives? Of course, you can use other providers like Okta or Auth0, but I assume, you're here because you want to use AWS. But the recommended (by AWS) alternative is to actually implement your own authentication using Amplify SDK. It's quite simple to use, I must say that. But what they don't tell you explicitly, is that it's no longer OIDC flow. Instead, AWS suggests to use their custom flows, such as USER_PASSWORD flow or SRP (Secure Remote Password), where password doesn't fly over http(s) at all. You might ask: can't I have OIDC with Cognito AND custom flows? Well... you can, but it's not that simple. Long story short, you can use both hosted ui and amplify and possibly create your own cool SSO. For details look at their github page where AWS Labs go through some details.
  4. If you can't afford spending next 2 months working on SSO, but you don't necessarily need OIDC flow and get settle for another solution, you can easily go for SRP or USERNAME_PASSWORD flows.
  5. If you're like me and you're migrating from the old legacy authentication system done... wherever (;)), go for USERNAME_PASSWORD and utilise user migration lambda trigger in Cognito, where you can automatically migrate users once they login with their old credentials! Neat
  6. AWS Cognito is full of traps... Consider that as well
JFCorleone
  • 623
  • 6
  • 18
2

First, make sure your Cognito client includes the email OAuth scope. User Pools > my-user-pool > App client settings > Allowed OAuth Scopes.

Then, decode the id token and you will have the email. You can use JWT.io to quickly decode tokens for testing and development.

UPDATE: You can use the POST /oauth2/token endpoint to fetch the tokens. But in general, if you're creating a frontend for users, it's better to use someone else's UI. The Cognito hosted UI works, although it looks a bit dated and it doesn't support MFA/TOTP. The modern approach is to use the Amplify UI Authenticator component, which supports TOTP and all the flows you'd expect (sign-up, password reset, etc).

Nick K9
  • 3,885
  • 1
  • 29
  • 62
  • 1
    Hi Nick. the thing is, when send the request to cognito i'll get an auth-code, not the JWT Token. And this is exactly my question. My web application requires an auth-code, and I would need the JWT token. In what Order I get both is not important. But after login I don't have the JWT Token, therefore I cannot decode it an extract the email address of the person who just logged in. – Frank Mar 15 '22 at 16:23
  • What client library are you using to interact with Cognito? – Nick K9 Mar 16 '22 at 12:55
  • At the moment nothing. But this can be modified. The only thing I am performing at the moment is the loginURL as pasted in my question. But whichever Library is required to get an Auth-Code + JWT token, i can facilitate. There is a lot room for creativity. – Frank Mar 17 '22 at 13:20
  • Would need more info to say. React? Angular? Python? Frontend? Backend? Regardless, you should use a library instead of manual HTTP. Assuming JS frontend, there are a lot of pieces to a successful Cognito frontend, from the sign-in form, to password resets, MFA, sign-up. The most straightforward way to use Cognito while accounting for the complexities is to use [Amplify UI](https://ui.docs.amplify.aws/) if you're using JS. Amplify provides API to access the id/access tokens, and refreshes them automatically when they expire. [See here](https://stackoverflow.com/a/71142110/1749551) for more. – Nick K9 Mar 17 '22 at 14:03
  • at the moment i am using plain JS – Frank Mar 17 '22 at 16:13
  • Here's the documentation for [the endpoint](https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html) which will get you the tokens (`POST /oauth2/token`). But again, you probably want to use Amplify for this. – Nick K9 Mar 17 '22 at 17:08
  • But this endpoint does not provide me the JWT token, or am I wrong? – Frank Apr 01 '22 at 13:09
  • The documentation says it should return access, id and refresh tokens, although I haven't used this API myself. What happens when you follow the example under "Exchanging an authorization code grant with PKCE for tokens"? – Nick K9 Apr 01 '22 at 15:43