Manual Authentication with Amazon Cognito - amazon-web-services

I know of two ways to authenticate as a user and obtain the access token, one is through the Hosted UI and another with various provided SDKs.
What I'm looking for is an endpoint obtain the access token directly with user credentials.
POST https://that-special-endpoint.com/login
{
username: "example#email.com",
password: "Abc123456",
...client ID, etc.
}
I've searched for some time but could not find how to do this. Is this not possible due to some security concerns that I'm not aware of?
I did consider creating a Lambda API and make use of the Cognito SDK to cater for my use case but I'm not sure if it's advisable...

Similar question is answered here. You can access https://cognito-idp.[region].amazonaws.com/ to call InitiateAuth and RespondToAuthChallenge APIs.
InitiateAuth
Create a json file, aws-auth-data.json
{
"AuthParameters": {
"USERNAME": "your-email#example.com",
"PASSWORD": "your-first-password",
"SECRET_HASH": "......(required if the app client is configured with a client secret)"
},
"AuthFlow": "USER_PASSWORD_AUTH",
"ClientId": "5m........................"
}
Send a request on https://cognito-idp.us-east-2.amazonaws.com/ (if the user pool is on us-east-2 region) to call InitiateAuth API and initiate an authentication flow.
curl -X POST --data #aws-auth-data.json \
-H 'X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth' \
-H 'Content-Type: application/x-amz-json-1.1' \
https://cognito-idp.us-east-2.amazonaws.com/
Then you'll get the user's tokens.
{
"AuthenticationResult": {
"AccessToken": "eyJra........",
"ExpiresIn": 3600,
"IdToken": "eyJra........",
"RefreshToken": "eyJjd........",
"TokenType": "Bearer"
},
"ChallengeParameters": {}
}
RespondToAuthChallenge
You may get a challenge as InitiateAuth response. For example, you will be asked to change password when you make a first 'InitiateAuth' attempt:
{
"ChallengeName": "NEW_PASSWORD_REQUIRED",
"ChallengeParameters": {
"USER_ID_FOR_SRP": "abababab-......",
"requiredAttributes": "[]",
"userAttributes": "{\"email_verified\":\"true\",\"email\":\"your-email#example.com\"}"
},
"Session": "DNdY......"
}
In this case, change the password with RespondToAuthChallenge and you will get tokens.
{
"ChallengeName": "NEW_PASSWORD_REQUIRED",
"ChallengeResponses": {
"USERNAME": "your-email#example.com",
"NEW_PASSWORD": "your-second-password"
},
"ClientId": "5m........................",
"Session": "DNdYN...(what you got in the preceding response)"
}
curl -X POST --data #aws-change-password.json \
-H 'X-Amz-Target: AWSCognitoIdentityProviderService.RespondToAuthChallenge' \
-H 'Content-Type: application/x-amz-json-1.1' \
https://cognito-idp.us-east-2.amazonaws.com/
See also:
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html
https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#amazon-cognito-user-pools-client-side-authentication-flow

Related

Is there any WSO2I.S REST API to pass an old and new password in case user forgot?

I'm using WSO2 I.S REST API to create users using SCIM 2.0 but I didn't find any method to use in case the user forgot his password. Is there any method? Have any example using a Java application calling this methods?
wso2-is-5.11.0
Please have a look on this document[1] for information on the REST APIs related to the password and username recovery, available in WSO2 Identity Server 5.11.0.
Refer to this WSO2 Identity Server documentation[2] to get to know more about the password recovery feature.
Also you can use SCIM2 APIs patch requests[3] to update the password of a user without using recovery APIs.
Following is an example curl command to update the password of a user by the admin using SCIM2 Users Endpoint.
curl -X PATCH 'https://localhost:9443/scim2/Users/<user-id>' \
-H 'accept: application/scim+json' \
-H 'Content-Type: application/scim+json' \
-H 'Authorization: Basic <base64 encoded(admin username:admin password)>' \
-d '{ "schemas": [ "urn:ietf:params:scim:api:messages:2.0:PatchOp" ], "Operations": [ { "op": "replace", "value": { "password": "newPassword" } } ]}'
[1] https://docs.wso2.com/display/IS511/apidocs/account-recovery/
[2] https://is.docs.wso2.com/en/latest/learn/password-recovery/#password-recovery
[3] https://is.docs.wso2.com/en/latest/develop/scim2-rest-apis/#/Users%20Endpoint/patchUser

Invalid Credentials using Google Cloud Platform Buckets

We have a bucket in Google Cloud Platform to manage pictures.
I am trying to upload a picture to it using Curl.
Respective to the official documentation linked here, this is the Curl-command I used:
curl -X POST --data-binary #cat.jpeg \
-H "Authorization: Bearer A_STRING_SUPPOSED_TO_BE_A_KEY" \
-H "Content-Type: image/jpeg" \
"https://storage.googleapis.com/upload/storage/v1/b/upload_zone/o?uploadType=media&name=cat"
This is the answer we get:
{
"error": {
"code": 401,
"message": "Invalid Credentials",
"errors": [
{
"message": "Invalid Credentials",
"domain": "global",
"reason": "authError",
"locationType": "header",
"location": "Authorization"
}
]
}
}
It seems our key is invalid, we are not sure what to use as Authorization key. Where can we find the OAUTH2.0-key required to make use of the Google Cloud Platform Bucket, do we need to generate it somewhere?
Edit:
We have generated a key using the OAuth 2.0-Playground, and it worked! But the key expires every 3000 seconds...
If you are already authenticated to Google using the gcloud sdk, you can get the key like this:
-H "Authorization: Bearer $(gcloud auth print-identity-token)"
So, using your example above, this should work:
curl -X POST --data-binary #cat.jpeg \
-H "Authorization: Bearer $(gcloud auth print-identity-token)" \
-H "Content-Type: image/jpeg" \
"https://storage.googleapis.com/upload/storage/v1/b/upload_zone/o?uploadType=media&name=cat"

POST, PUT and PATCH resources not working in WSO2 Api Gateway

I am quite new to the WSO2 tools. I recently started using the WSO2 API Manager(ver. 3.1.0).
I created an API gateway by importing the httpbin swagger specs: https://github.com/Azure/api-management-samples/blob/master/apis/httpbin.swagger.json. I published the API, subscribed to it, generated the API keys and started testing.
I imported the spec in Postman, configured the API key for authorization, changed the server to the local gateway http://localhost:8280/Api_Base/1.0
All the resources defined with GET method were accessible, but the POST, PUT and PATCH resources
were not reachable via the gateway. I received the following error response "<faultstring>unknown" for these resources. I tried with cURL as well but got the same results. When I tried POST for httpbin directly it was working just fine:
curl --location --request POST 'http://httpbin.org/post'
{
"args": {},
"data": "",
"files": {},
"form": {},
"headers": {
"Accept": "*/*",
"Host": "httpbin.org",
"User-Agent": "curl/7.58.0",
"X-Amzn-Trace-Id": "Root=1-5e8e0d39-ddf21f1055008f60707cf150"
},
"json": null,
"origin": "95.103.xxx.xxx",
"url": "http://httpbin.org/post"
}
and via my API gateway(with API key as well):
curl --location --request POST 'http://localhost:8280/HTTP_Bin_Mock/1.0/post'
<faultstring>unknown</faultstring>
What could have gone wrong?
please try below CURL command
curl --location --request POST 'http://localhost:8280/HTTP_Bin_Mock/1.0/post' --data '{}' --header 'Content-Type: Application/JSON'

AWS - Cognito Authentication - Curl Call - Generate Token Without CLI - No Client Secret

I have created a API Gateway and I have applied Cognito Authentication there. Here to have the API Call work I am using AWS CLI to get Token , Here is my CLI Code
aws cognito-idp admin-initiate-auth --user-pool-id us-west-2_leb660O8L --client-id 1uk3tddpmp6olkpgo32q5sd665 --auth-flow ADMIN_NO_SRP_AUTH --auth-parameters USERNAME=myusername,PASSWORD=mypassword
Now I want to use CURL Call instead of this CLI Call. I have found the code but all needs client secret here. I do not have client secret as my user pool is of Enable Signin for server-based authentication.
Please guide me how I can use that.
I have gone through
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html
[What will be the EndPoint for Calling IntiateAuth Or AdminIntiateAuth]
&
https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html
To Summarise this :
I want to get Id_Token Using Curl or Postman without Client Secret.
Thanks in advance
You can authenticate a user with the following request.
This is the endpoint of the InitiateAuth request.
Hope that this is useful for you
Method: POST
Endpoint: https://cognito-idp.{REGION}.amazonaws.com/
Content-Type: application/x-amz-json-1.1
X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth
Body:
{
"AuthParameters" : {
"USERNAME" : "YOUR_USERNAME",
"PASSWORD" : "YOUR_PASSWORD"
},
"AuthFlow" : "USER_PASSWORD_AUTH", // Don't have to change this if you are using password auth
"ClientId" : "APP_CLIENT_ID"
}
And the response as the following
{
"AuthenticationResult": {
"AccessToken": "YOUR_ACCESS_TOKEN",
"ExpiresIn": 3600,
"IdToken": "YOUR_ID_TOKEN",
"RefreshToken": "YOUR_REFRESH_TOKEN",
"TokenType": "Bearer"
},
"ChallengeParameters": {}
}
Just sharing direct curl here may helpful to anyone
curl -X POST --data #user-data.json \
-H 'X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth' \
-H 'Content-Type: application/x-amz-json-1.1' \
https://cognito-idp.<just-replace-region>.amazonaws.com/
file json user-data.json
{"AuthParameters" : {"USERNAME" : "sadfsf", "PASSWORD" : "password"}, "AuthFlow" : "USER_PASSWORD_AUTH", "ClientId" : "csdfhripnv7sq027kktf75"}
make sure your app client does not contain app-secret or create new app without secret. also inside app enable USER_PASSWORD_AUTH

wso2 Idendity server bearer token

i have used wso2 Idendity server version 5.7.
i have created token below curl.
curl -X POST \
https://localhost:9443/oauth2/token \
-H 'Accept: */*' \
-H 'Authorization: Basic dUJqVGZncU1vTHpUQWJwU2U3QXhyYzF3cGRvYTpQVjFLM2ZUM1o3Qm9jVFl3dF9wM214ZzYwQVlh' \
-d 'grant_type=password&username=admin&password=admin'
they will giving below response jwt formate.
{
"access_token": "eyJ4NXQiOiJOVEF4Wm1NeE5ETXlaRGczTVRVMVpHTTBNekV6T0RKaFpXSTRORE5sWkRVMU9HRmtOakZpTVEiLCJraWQiOiJOVEF4Wm1NeE5ETXlaRGczTVRVMVpHTTBNekV6T0RKaFpXSTRORE5sWkRVMU9HRmtOakZpTVEiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhZG1pbkBjYXJib24uc3VwZXIiLCJhdWQiOiJ1QmpUZmdxTW9MelRBYnBTZTdBeHJjMXdwZG9hIiwibmJmIjoxNTU2NjEyMzAxLCJhenAiOiJ1QmpUZmdxTW9MelRBYnBTZTdBeHJjMXdwZG9hIiwiaXNzIjoiaHR0cHM6XC9cL2xvY2FsaG9zdDo5NDQzXC9vYXV0aDJcL3Rva2VuIiwiZXhwIjoxNTU2NjE1OTAxLCJpYXQiOjE1NTY2MTIzMDEsImp0aSI6IjBiNDNiNDJhLTNmMGQtNDczZS05MjgwLWYzMDUyOTE5MDA0NSJ9.BxHpuoYJVpDPH4kauU7C6c9eSn-DDO3k40QQjDSBS3g7_dHDRCXvf1xBFe3dxggth-eomvo1kiIGQtC8_VzvL5umvM1VKkL_DqxDyWmM9CtFHj-MkDROS_81ZcWlME6__69vy68l9_cfM7XCUpkJ2JMAeFV2kS2jAvlIpSn3xcJWDMNNhcC60syrua_aATwNot6DQiy032c1uN2KOWEqLbhLMxDrue41jkhlQ7Kt4i-B7J385O7Rvju6bJ6SoTy-zU92ewXwrXctooLGbd_y-MQmXp0PTp2PqmBtgb5Ryrg9An3AbCavEjzYeJbSj2hIsKzU5dpH_KE670gEGW94jw",
"refresh_token": "253c5d9f-4efd-3b63-8451-66a0f83b2c72",
"token_type": "Bearer",
"expires_in": 3600
}
Problem :
1) when i have called any request using Bearer authorization token,giving below error but Basic YWRtaW46YWRtaW4= working fine.
{
"Errors": [
{
"code": "401",
"description": "Authentication failed for this resource."
}
]
}
2) Refresh token giving plain text how to convert jwt formate also.
Just in case if there is user permission issue, you will get
{"Errors":[{"code":"500","description":"User is not authorized to perform provisioning"}]}
Since your error message is
{
"Errors": [
{
"code": "401",
"description": "Authentication failed for this resource."
}
]
}
it is mainly due to invalid access token. You can check it by simply sending some random string as an access token. I would suggest you to check it from client side where you send correct access token or not.