How do I authenticate against an AWS Cognito User Pool

Question

I've created a Cognito User Pool. I can list the users and add the users using the AWSCognitoIdentityProviderClient from the Java AWS SDK.

However, I have a custom login page and I wish to take the entered username and password and authenticate against my User Pool. I don't see anywhere in the Java AWS SDK where I can pass credentials and get an authentication result from.

Edit: I can't get past this error:

NotAuthorizedException: Missing credentials in config

Relevant code:

    AWS.config.region = 'us-east-1';
    AWS.config.credentials = new AWS.CognitoIdentityCredentials({
        IdentityPoolId: 'us-east-1:087a3210-64f8-4dae-9e3c...' // your identity pool id here
    });

    AWSCognito.config.region = 'us-east-1';
    AWSCognito.config.credentials = new AWS.CognitoIdentityCredentials({
        IdentityPoolId: 'us-east-1:087a3210-64f8-4dae-9e3c...' // your identity pool id here
    });

    var poolData = {
        UserPoolId: 'us-east-1_39RP...',
        ClientId: 'ttsj9j5...',
        ClientSecret: 'bkvkj9r8kl2ujrlu41c7krsb6r7nub2kb260gj3mgi...'
    };
    var userPool = new AWSCognito.CognitoIdentityServiceProvider.CognitoUserPool(poolData);

    var authenticationData = {
        Username: '[email protected]',
        Password: 'foobarfoo',
    };
    var authenticationDetails = new AWSCognito.CognitoIdentityServiceProvider.AuthenticationDetails(authenticationData);
    var userData = {
        Username: '[email protected]',
        Pool: userPool
    };
    var cognitoUser = new AWSCognito.CognitoIdentityServiceProvider.CognitoUser(userData);
    cognitoUser.authenticateUser(authenticationDetails, {
        onSuccess: function (result) {
            console.log('access token + ' + result.getAccessToken().getJwtToken());
        },

        onFailure: function (err) {
            alert(err);
        },

    });

Answer 1

The AWS Java SDK includes APIs to authenticate users in a User Pool. You can authenticate a user using either the InitiateAuth api or AdminInitiateAuth api of the AWSCognitoIdentityProviderClient class. The difference between these two API is explained in the documentation. In short, for InitiateAuth, you need to perform SRP calculations and then pass it to the API, while in AdminInitiateAuth you can directly pass the username and password. You can read about the security implications in both cases and decide which one to use.

Documentation : https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html

API reference: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html

https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html

My working sample(Groovy):

def login() {
    AWSCognitoIdentityProviderClient client = new AWSCognitoIdentityProviderClient()
    println("Provider client: " + client)
    client.setRegion(Region.getRegion(Regions.AP_NORTHEAST_1))

    HashMap authParams = new HashMap<>()
    authParams.put("USERNAME", "User1")
    authParams.put("PASSWORD", "a*123")
    AdminInitiateAuthRequest adminInitiateAuthRequest = new AdminInitiateAuthRequest()
            .withClientId(<YOUR_CLIENT_ID>)
            .withUserPoolId(<YOUR_USER_POOL_ID>)
            .withAuthFlow(AuthFlowType.ADMIN_NO_SRP_AUTH )
            .withAuthParameters(authParams)
    AdminInitiateAuthResult result = client.adminInitiateAuth(adminInitiateAuthRequest);
    if (result != null) {
        System.out.println("AdminInitiateAuthResult:");
        System.out.println(result.toString());
    } else {
        System.out.println("No result available");
        return;
    }
}

Answer 2

Authentication is only supported via JavaScript, iOS and Android at this time. The necessary apis to authenticate are not part of the server SDKs (java, python et. all) during the beta. Using the JavaScript SDK is the recommended way of authenticating from your login page.