Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can I authenticate with AWS Cognito from plain Java?

I want to test custom user authorization with Cognito and do it from a simple java code. The problem is, the CognitoCachingCredentialsProvider requires an Android ApplicationContext and won't accept a null.

The whole flow is supposed to go like this:

  1. User logs in using an email and password
  2. Backend (a Lambda function) gets an IdentityToken from Cognito and returns it to the user
  3. User can now retrieve credentials from Cognito and initialize an ApiClientFactory to authorize calls to other API endpoints

Is there something I'm missing or do I just have the whole concept wrong? Any good tutorials on this? I've already went through every possible documentation on AWS but I find it really hard to wrap my head around it and there is not a single material on plain Java, only Android.

like image 990
Myzreal Avatar asked Oct 06 '15 13:10

Myzreal


People also ask

How do you authenticate on Amazon Cognito?

Configure the external provider in the Amazon Cognito console. Choose Manage Identity Pools from the Amazon Cognito console home page : Choose the name of the identity pool where you want to enable Login with Amazon as an external provider. The Dashboard page for your identity pool appears.

How do I authenticate a Cognito user?

AWS Cognito User Pool will send verification code by email or sms and the user enters the code to get verified with the User Pool. User enters username and password and logs in with Cognito User Pool in which case a token will be provided by Cognito upon successful login.

Can AWS Cognito be used for authorization?

Amazon Cognito allows you to use groups to create a collection of users, which is often done to set the permissions for those users. In this post, I show you how to build fine-grained authorization to protect your APIs using Amazon Cognito, API Gateway, and AWS Identity and Access Management (IAM).


1 Answers

Generally Amazon Cognito is used from "untrusted" clients like mobile and JavaScript apps to vend temporary AWS Credentials directly to the end user. Since the most common Java client-side apps we see are Android apps, our guides focus on Android rather than plain Java, but the same process will work with the Java SDK.

Server Side

When using Amazon Cognito's Developer Authenticated Identities feature as you mentioned you are doing, you'll get an OpenID Connect token back from the call to Amazon Cognito's GetOpenIdTokenForDeveloperIdentity on your backend (lambda) function. Your backend should provide that token to the client application after successfully authenticating the user.

Client Side

Then the client-side application needs to make a call to Cognito's GetCredentialsForIdentity API (Java docs) passing in the token from the Server Side step above to get AWS Session Credentials as a Credentials object in the Java SDK. With these session credentials (which are effectively credentials from the AWS Security Token Service/STS), create a BasicSessionCredentials object, passing it the session credentials and session token as described under Explicitly Specifying Credentials in the Java SDK developer guide.

like image 140
Scott Willeke Avatar answered Oct 21 '22 23:10

Scott Willeke