Can someone explain to be how to authenticate with a user pool using Postman? I've searched for auth endpoints in the documentation, but I haven't found any references.
I'm pretty sure you are SOL with this. Part of this reason is because authentication with Cognito is highly customizable and therefor fairly application specific. For example you might be using federation with Facebook, Google, Amazon or SAML. You might be be using MFA or some type of custom challenge. If you aren't using federation, Cognito uses SRP by default which means the client side does a bunch of calculations and black magic to make sure that you are securely authenticated without ever sending your password over the wire. Postman isn't going to know how to do this for you and you aren't going to want to do it yourself just for the sake of using Postman.
My suggestion would be to create a simple app that authenticates using the AWS SDK or even better, AWS Amplify. You can print the auth tokens to the screen and just copy them into Postman to make authenticated requests to your API.
Related
I would like to use Amazon cognito as a way to allow users to sign up to my app and validate api calls, so I don't have to handle user passwords or create a custom account recovery email system.
The problem is im not sure I understand how its supposed to work or what tools I am meant to use. Heres how I imagine it:
This way I could use cognito to identify users and authorize api calls.
But I am not sure if this is correct. For example I'm not sure if the frontend is supposed to refresh the tokens or the backend.
I am also not sure if I am meant to implement the code for exchanging and refreshing the token and logging out of users myself, but it seems that way since I can't find any tools that would do that for me.
I have found some libraries concerning aws cognito, but none of them mention exchanging or refreshing tokens:
https://www.npmjs.com/package/amazon-cognito-identity-js
https://www.npmjs.com/package/amazon-cognito-auth-js
https://www.npmjs.com/package/#aws-cdk/aws-cognito
I did find this library mentioned in the documentation that can be used to validate jwt id tokens on the backend.
https://github.com/awslabs/aws-jwt-verify
I am using userpools and no identity pools, since I don't grant users access to my aws resources.
So basically my question is, is my perception of the cognito workflow correct and if yes, how can I exchange the grant code for an id token and how can i use the refresh token to refresh the id token.
I have a spring boot based web application which already authenticates the user. I would like to create some AWS APIs using AWS api gateway and a springboot rest app deployed on EC2. The user will log into the existing application and call the new AWS APIs from the browser ajax calls (like an SPA I guess but I have a server and can use client credentials/secrets if needed). What is the best way to handle security for the APIs. My first thought was to generate a JWT using a shared server side secret for hash and verify it with an AWS lambda. But this seems a bit non standard. Oauth2 might be better but might also be over kill. Not sure the performance would be good. Few requirements
token passed to the API should be a user specific token and have an expiration (and hence a refresh token)
The user is already logged into my web app and calling the api should not issue a login challenge.
AWS API Gateway should be able to verify the token before passing it to the application
Any token passed to the API should probably be generated on the logged in web application. Server knows the user is authenticated and should generate the user access token on behalf of the user. The AWS api should be able to figure out what privileges the user has based on the user principle or scopes in the token
I've thought about using Cognito AWS but I dont want to require the users to preexist in a user pool. Cognito seems geared more for the authentication rather than authorization and I would not be using the cognito login functionality. I dont know if its possible to use the oauth2/token endpoint alone with cognito.
What I have done so far?
I have integrated Microsoft AD with AWS Cognito by adding Trust relationships and setting Cognito Identity provider. In this, I have set up an app domain prefix during Cognito set up. By using the following URL I am able to receive the token by logging in the AD login page. So when I decode this token I getting the required attributes and other information.
What I actually want?
So I don't want my users to be redirected to the AD login page and later to the application. I need just a REST API where I can provide the AD user credentials and this API will return the above JWT token which has all the information.
So in short, I want to get the Cognito JWT token by using the AD user credentials. These users are the part of AD groups which are linked to the AWS IAM by adding trust relationship using ADFS. So is there a way in which I don't need to use the Cognito hosted UI. Instead, my users will hit one API and get the credentials. I don't know what this API is.
Any help will be appreciated.
I am in the same dilemma myself, but I've found a very useful question (with answers) that might help you out.
It's been some time but maybe this will be useful for new people having the same problem nowadays.
What is the REST (or CLI) API for logging in to Amazon Cognito user pools
I think you'd want to enable the ClientCredentials flow in your cognito user pool.
You can read more on this flow here https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/ to make sure it is what you need (oauth flows and grants are the same thing).
The client seems to generate tokens in a way I cannot replicate in Jmeter. The app is not using SSO, or Google authentication. Just username/password
The Authentication flow would be similar in Postman, except Postman has an option for AWS user pools and Jmeter does not (just mentioning this in case anyone has done it manually in Postman).
I've tried everything I know of, I'm on my last straw and I can't believe apparently nobody load tests Cognito apps!
Looking into Amazon Cognito User Pools Auth API Reference - it's normal OAuth so you need to start with AUTHORIZATION endpoint and once you get the key proceed to TOKEN endpoint.
Alternatively you can use AWS SDK for Java from the JSR223 Test Elements.
Check out How to Run Performance Tests on OAuth Secured Apps with JMeter article for more information on bypassing OAuth login challenge in JMeter tests
Does it make sense to attempt to use AWS Cognito as a Django authentication back-end? What would be the advantages of doing so? What would be some challenges / problem areas?
Has anyone done any work in this direction?
It depends a bit on what your goal is for it as a back end. Cognito Identity doesn't currently manage users or user registration...etc. It leverages public providers (e.g. Twitter, Facebook, Digits, Google, Amazon...etc.) to get AWS credentials to access other AWS resources.
What were you hoping to do with this backend?
EDIT: As is commented below, the new Cognito User Pools feature allows this to happen.