Aws Cognito : how to get the token for API command line testing?

Question

I am attempting to authenticate a REST API in AWS API Gateway, which is protected by AWS Cognito through the command line to do some security testing of the API. So, i'm supposed to send the authentication token to get an answer, except i just can't figure out how to get that token!

Our Cognito User Pool is configured for Authorisation Code Grant Flow and Implicit Grant, but not for Client Credentials. Everything I found out during my research was about Client Credentials, so if anyone had a command line that actually works with these parameters it would be really nice!

Answer 1

If you have a REST API in AWS API Gateway that has Cognito Authentication enabled, you would need to pass the JWT Token generated by Cognito in the HTTP Request Header. To retrieve the JWT Token, you could either try a login operation from the Cognito Hosted UI, or you could alternatively try the AWS provided InitiateAuth or AdminInitiateAuth API calls. To give further clarity, if you select the Implicit Grant Flow, you get only an ID Token and an Access Token back. However, if you select the Authorization Code Grant Flow, you get a code back, which you could convert to JWT Tokens while leveraging Cognito's TOKEN Endpoint. An example for the AdminInitiateAuth API call(via the AWS CLI) as stated in the AWS Cognito Documentation is given as follows:

aws cognito-idp admin-initiate-auth --user-pool-id us-west-2_aaaaaaaaa --client-id 3n4b5urk1ft4fl3mg5e62d9ado --auth-flow ADMIN_NO_SRP_AUTH --auth-parameters [email protected],PASSWORD=password

These API calls/the Hosted UI Authentication Mechanism would give you an OIDC compliant ID Token and an Access Token after you login successfully. After you retrieve the Token, you could pass the token to the Token Source that you have set-up while creating the REST API Authorizer in AWS API Gateway. To know more about passing a certain parameter to a cURL request header, you could have a look at this StackOverflow question.