AWS Cognito User Authentication

Question

OK. Here is my thing.

We are building a small application on top of Lumen/Laravel. We need the user management to be completely taken care by AWS cognito.

Basically 2 simple functionalities.

1. Push the user details to AWS cognito user pool upon user signup request.
2. Authenticate the user against cognito user pool with simple email/mobile and password upon login request.

We need to do this using PHP.

Now the problem is, I am not able to find any PHP API docs with a clear procedure or examples. Cognito is providing API;s only for Android, IOS, JS, Unity and Xamarian. I need a similar kind of documentation for PHP.

Do anyone has a working example for just the above 2 features using cognito API's with PHP.

Note: I have almost spent more than a day and half figuring out whether and how this can be done. So please just dont send me any link which appears first or second on your google search. High possibility I might have already seen that link with no luck.

Any help would be appreciated.

Answer 1

In order to be able to use any of the API requests you need first to setup your credentials properly. Doing it server side & outside EC2 instance, you will need to provide your AWS ACCESS KEY & AWS SECRET ACCESS KEY, App client ID, App client Secret and user pool id like so

$args = [ 
'credentials' => [
    'key' => 'AAAAAAAAAA',
    'secret' => 'abacaaswfas',
],
'region' => 'eu-central-1',
'version' => 'latest',

'app_client_id' => '3asd123adfs1231sdfs',
'app_client_secret' => '1sdf123sdfs123sdfsfsdf132fd3213',
'user_pool_id' => 'eu-central-1_aaaW2Df3',
]

Otherwise you will see all possible kind of errors till you get the proper ID's in place.

To get AWS ACCESS KEY & AWS SECRET ACCESS KEY go to your AWS console, click on your name then go to account, then again click on your name, go to 'My security credentials' then I guess you'll find your way out ..

To get App client ID, App client Secret you need to create your User Pool first, then go to App Client and create one. (you can find the pool id under General Settings )

A simple Login query

$client = new CognitoIdentityProviderClient($args);
$client->adminInitiateAuth([
            'AuthFlow' => 'ADMIN_NO_SRP_AUTH',
            'AuthParameters' => [
                'USERNAME' => YOUR_USERNAME_HERE,
                'PASSWORD' => YOUR_PASS_HERE,
                'SECRET_HASH' => , base64_encode(hash_hmac('sha256', YOUR_USERNAME_HERE . APP_CLIENT_ID, APP_CLIENT_SECRET, true))
            ],
            'ClientId' => APP_CLIENT_ID,
            'UserPoolId' => USER_POOL_ID,
        ]);

if you get this to work you should be able to use any of the Actions listed in the documentation here

Note: This is working on API Version 2016-04-18 & PHP 7.1, please make sure you are using the same version or at least there's no major changes in the API before assuming this will work for you.

Note 2: The Id's I used are totally random .. but they should have the same format.

Answer 2

Unfortunately, there are no working examples for PHP. Currently Cognito supports high level SDKs for those you mentioned, but doesn't support high level SDK for PHP. The low level SDK can be used by calling the APIs mentioned below.

http://docs.aws.amazon.com/aws-sdk-php/v3/api/class-Aws.CognitoIdentityProvider.CognitoIdentityProviderClient.html

The example below should work with a bit of translation to PHP, as should most of the code inside this SDK https://github.com/aws/aws-sdk-android/blob/master/aws-android-sdk-cognitoidentityprovider/src/main/java/com/amazonaws/mobileconnectors/cognitoidentityprovider/CognitoUser.java

Instead of calling InitiateAuth, you may want to call AdminInitiate auth API with ADMIN_NO_SRP_AUTH parameter, so that you don't need to do SRP computation in PHP. The high level SDKs provide a wrapper around this calculation that manages it for you, but doing it on your own is quite difficult.