I have created a API Gateway and I have applied Cognito Authentication there. Here to have the API Call work I am using AWS CLI to get Token , Here is my CLI Code
aws cognito-idp admin-initiate-auth --user-pool-id us-west-2_leb660O8L --client-id 1uk3tddpmp6olkpgo32q5sd665 --auth-flow ADMIN_NO_SRP_AUTH --auth-parameters USERNAME=myusername,PASSWORD=mypassword
Now I want to use CURL Call instead of this CLI Call. I have found the code but all needs client secret here. I do not have client secret as my user pool is of Enable Signin for server-based authentication.
Please guide me how I can use that.
I have gone through
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html
[What will be the EndPoint for Calling IntiateAuth Or AdminIntiateAuth]
&
https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html
To Summarise this :
I want to get Id_Token Using Curl or Postman without Client Secret.
Thanks in advance
You can authenticate a user with the following request.
This is the endpoint of the InitiateAuth request.
Hope that this is useful for you
Method: POST
Endpoint: https://cognito-idp.{REGION}.amazonaws.com/
Content-Type: application/x-amz-json-1.1
X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth
Body:
{
"AuthParameters" : {
"USERNAME" : "YOUR_USERNAME",
"PASSWORD" : "YOUR_PASSWORD"
},
"AuthFlow" : "USER_PASSWORD_AUTH", // Don't have to change this if you are using password auth
"ClientId" : "APP_CLIENT_ID"
}
And the response as the following
{
"AuthenticationResult": {
"AccessToken": "YOUR_ACCESS_TOKEN",
"ExpiresIn": 3600,
"IdToken": "YOUR_ID_TOKEN",
"RefreshToken": "YOUR_REFRESH_TOKEN",
"TokenType": "Bearer"
},
"ChallengeParameters": {}
}
Just sharing direct curl here may helpful to anyone
curl -X POST --data #user-data.json \
-H 'X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth' \
-H 'Content-Type: application/x-amz-json-1.1' \
https://cognito-idp.<just-replace-region>.amazonaws.com/
file json user-data.json
{"AuthParameters" : {"USERNAME" : "sadfsf", "PASSWORD" : "password"}, "AuthFlow" : "USER_PASSWORD_AUTH", "ClientId" : "csdfhripnv7sq027kktf75"}
make sure your app client does not contain app-secret or create new app without secret. also inside app enable USER_PASSWORD_AUTH
Related
I'm attempting to call Google Cloud's signJwt method with Workload Identity Federation with a service account via domain wide delegation. As far as I can tell I'm following Google's instructions exactly but am getting the following error:
{
"error": {
"code": 400,
"message": "Request contains an invalid argument.",
"status": "INVALID_ARGUMENT"
}
}
I'm running the following curl command in the Cloud Shell
curl -X POST \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "Content-Type: application/json; charset=utf-8" \
-d #request.json \
"https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/<SA_USERNAME>%40<PROJECT_NAME>.iam.gserviceaccount.com:signJwt"
where request.json contains the following:
{
"payload": "{\"iss\":\"<SA_USERNAME>#<PROJECT_NAME>.iam.gserviceaccount.com\",\"scope\":\"https://www.googleapis.com/auth/gmail.readonly\",\"aud\":\"https://oauth2.googleapis.com/token\",\"exp\":1672868057013,\"iat\":1672868053513,\"sub\":\"<USER_NAME_OF_USER_TO_IMPERSONATE>#<DOMAIN>\"}",
"delegates": [],
}
Why am I getting an invalid argument error?
Try something like this in the request body :
{
"delegates": [
string
],
"payload": string
}
As given in the document:
The sequence of service accounts in a delegation chain. Each service
account must be granted the roles/iam.serviceAccountTokenCreator role
on its next service account in the chain. The last service account in
the chain must be granted the roles/iam.serviceAccountTokenCreator
role on the service account that is specified in the name field of the
request.
The delegates must have the following format: projects/-/serviceAccounts/{ACCOUNT_EMAIL_OR_UNIQUEID}. The - wildcard character is required; replacing it with a project ID is invalid.
Also there is a bug request on it.You can raise a new request if you need it by using the issue tracker.
what is the procedure for getting the list of all the IP address of google compute instances through its API's and how to provide OAuth 2 access token externally
When I am trying to access via the API given by GCP
https://compute.googleapis.com/compute/v1/projects/{project}/zones/{zone}/instances
I am getting the following error
{
"error": {
"code": 401,
"message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
"errors": [
{
"message": "Login Required.",
"domain": "global",
"reason": "required",
"location": "Authorization",
"locationType": "header"
}
],
"status": "UNAUTHENTICATED"
}
}
How do i authenticate ?
The easiest way to get an access token for a curl call to a Google Cloud API is to use the Cloud SDK (provided you have it installed and configured).
Once you've confirmed you're logged in with the correct user or service account (gcloud auth list) you can get an access token for a user account by running:
gcloud auth print-access-token
or for a service account you've configured as default:
gcloud auth application-default print-access-token
You'll need to pass that token as Authorization header to authenticate your call. You can integrate the gcloud command in your curl call like this:
curl https://compute.googleapis.com/compute/v1/projects/PROJECT/zones/ZONE/instances -H "Authorization: Bearer $(gcloud auth print-access-token)"
You can use jq to parse the response and print only an array of IP objects, for example:
curl https://compute.googleapis.com/compute/v1/projects/PROJECT/zones/ZONE/instances -H "Authorization: Bearer $(gcloud auth print-access-token)" | jq '[.items | .[] | {ip: .networkInterfaces[].accessConfi
gs[].natIP}]'
It'll print a response of the form:
[
{
"ip": "XX.XXX.XX.XXX"
},
{
"ip": "XXX.XXX.XX.XXX"
}
]
I know of two ways to authenticate as a user and obtain the access token, one is through the Hosted UI and another with various provided SDKs.
What I'm looking for is an endpoint obtain the access token directly with user credentials.
POST https://that-special-endpoint.com/login
{
username: "example#email.com",
password: "Abc123456",
...client ID, etc.
}
I've searched for some time but could not find how to do this. Is this not possible due to some security concerns that I'm not aware of?
I did consider creating a Lambda API and make use of the Cognito SDK to cater for my use case but I'm not sure if it's advisable...
Similar question is answered here. You can access https://cognito-idp.[region].amazonaws.com/ to call InitiateAuth and RespondToAuthChallenge APIs.
InitiateAuth
Create a json file, aws-auth-data.json
{
"AuthParameters": {
"USERNAME": "your-email#example.com",
"PASSWORD": "your-first-password",
"SECRET_HASH": "......(required if the app client is configured with a client secret)"
},
"AuthFlow": "USER_PASSWORD_AUTH",
"ClientId": "5m........................"
}
Send a request on https://cognito-idp.us-east-2.amazonaws.com/ (if the user pool is on us-east-2 region) to call InitiateAuth API and initiate an authentication flow.
curl -X POST --data #aws-auth-data.json \
-H 'X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth' \
-H 'Content-Type: application/x-amz-json-1.1' \
https://cognito-idp.us-east-2.amazonaws.com/
Then you'll get the user's tokens.
{
"AuthenticationResult": {
"AccessToken": "eyJra........",
"ExpiresIn": 3600,
"IdToken": "eyJra........",
"RefreshToken": "eyJjd........",
"TokenType": "Bearer"
},
"ChallengeParameters": {}
}
RespondToAuthChallenge
You may get a challenge as InitiateAuth response. For example, you will be asked to change password when you make a first 'InitiateAuth' attempt:
{
"ChallengeName": "NEW_PASSWORD_REQUIRED",
"ChallengeParameters": {
"USER_ID_FOR_SRP": "abababab-......",
"requiredAttributes": "[]",
"userAttributes": "{\"email_verified\":\"true\",\"email\":\"your-email#example.com\"}"
},
"Session": "DNdY......"
}
In this case, change the password with RespondToAuthChallenge and you will get tokens.
{
"ChallengeName": "NEW_PASSWORD_REQUIRED",
"ChallengeResponses": {
"USERNAME": "your-email#example.com",
"NEW_PASSWORD": "your-second-password"
},
"ClientId": "5m........................",
"Session": "DNdYN...(what you got in the preceding response)"
}
curl -X POST --data #aws-change-password.json \
-H 'X-Amz-Target: AWSCognitoIdentityProviderService.RespondToAuthChallenge' \
-H 'Content-Type: application/x-amz-json-1.1' \
https://cognito-idp.us-east-2.amazonaws.com/
See also:
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html
https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#amazon-cognito-user-pools-client-side-authentication-flow
I use POSTMAN to test my Cloudformation created APIs
POST https://6pppnxxxh.execute-api.eu-central-1.amazonaws.com/Prod/users
I got
{
"message": "Missing Authentication Token"
}
My prod stage
I doublechecked PROD Invoke URL.
How to solve this problem?
I tried with curl
curl --header "Content-Type: application/json" --request POST --data '{ "emailaddress" : "acj#rambler.ru,"first name" : "Aca","last name" : "Ljubascikic", "password" : "bbbac_96"}' https://6pppnxxxh.execute-api.eu-central-1.amazonaws.com/Prod/users
The same issue
{"message":"Missing Authentication Token"}
How to test from CLI?
According to your screenshot /Prod/users is a PUT method and you are using POST in your command. I would confirm that first.
Hope this helps.
I' using Cognito user pool for securing my API gateway . Now I would like to make requests to my API using postman but I need to pass in Authorization token as the API is secured. Is there any AWS CLI command or REST API to generate auth tokens(by passing username/password)? I have searched documentation but couldn't find any examples. Thanks for your help.
You can do this using the following CLI commands:
Register a user
aws cognito-idp sign-up --region {your-aws-region} --client-id {your-client-id} --username admin#example.com --password password123
Confirm user registration
aws cognito-idp admin-confirm-sign-up --region {your-aws-region} --user-pool-id {your-user-pool-id} --username admin#example.com
Authenticate (get tokens)
aws cognito-idp admin-initiate-auth --region {your-aws-region} --cli-input-json file://auth.json
Where auth.json is:
{
"UserPoolId": "{your-user-pool-id}",
"ClientId": "{your-client-id}",
"AuthFlow": "ADMIN_NO_SRP_AUTH",
"AuthParameters": {
"USERNAME": "admin#example.com",
"PASSWORD": "password123"
}
}
You should get a response like this if everything is set up correctly:
{
"AuthenticationResult": {
"ExpiresIn": 3600,
"IdToken": "{your-idtoken}",
"RefreshToken": "{your-refresh-token}",
"TokenType": "Bearer",
"AccessToken": "{your-access-token}"
},
"ChallengeParameters": {}
}
Use the following command to generate the auth tokens, fill in the xxxx appropriately based on your cognito configuration,
aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --client-id xxxx --auth-parameters USERNAME=xx#xx.com,PASSWORD=xxxx
Note: You can use any one username or password under applicable cognito user pool.
The client can be found under general settings--> app client
The AccessKeyId and SecretAccessKey is not required as it already defined while setting up the aws cli. If not done use the following link to set that up first
https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html
There is an AWS CLI command to generate Auth Tokens. You can use InitiateAuth CLI Command for this.
Note: Make sure you have done the UserPool configuration matching the expected tokens.