How do i make logins happen via Amazon Cognito REST APIs (for user pools) on platforms for which there is no official SDK? - Note that i am asking for user pools - not identity pools.
Amazon cognito provides 3 kinds of logins:
I am using the second one (with User Pools)
Amazon cognito has several SDKs for android, iOS, javascript, Xamarin etc. Cognito also provides REST APIs for building on platforms other than those supported by official SDKs. I am building an app for a different platform and, hence, REST API is my only way as there is no official SDK for my platform.
The Cognito REST API provides various endpoints for 'sign up', 'forgot password', 'confirm verification' etc, but surprisingly, the REST API does not have any endpoint for simple signin / login.
From Cognito CLI API docs I have all the OFFICIAL CLI APIs necessary to "signup users", "confirm signups", "change passwords", "verify phone numbers", "forgot passwords" etc. Surprisingly there is no CLI API mentioned for LOGINs. I was hoping there should be some CLI API like "$ aws cognito-idp log-in
" just like there is for "$ aws cognito-idp sign-up
" or for "$ aws cognito-idp forgot-password
" etc.
Also from this getting started tutorial it talks about "*what should be done with tokens received AFTER successful authentication of a user*". However, it doesn't talk about HOW TO make the successful authentication happen on the first place with Cognito User Pool APIs. Examples are available only for Android, iOS, javascript SDKs. There are no authentication examples available for platforms which do not have SDKs.
Hence, How do i make logins happen via Amazon Cognito REST APIs (for user pools) on platforms for which there is no official SDK?
Instead of using the API Gateway console, you can also enable an Amazon Cognito user pool on a method by specifying an OpenAPI definition file and importing the API definition into API Gateway.
Use the Amazon Cognito console, CLI/SDK, or API to create a user pool—or use one that's owned by another AWS account. Use the API Gateway console, CLI/SDK, or API to create an API Gateway authorizer with the chosen user pool. Use the API Gateway console, CLI/SDK, or API to enable the authorizer on selected API methods.
Go to AWS Cognito service and click “Manage Identity Pools”. 2. Enter “Identity pool name”, expand the “Authentication providers” section and select “Cognito” tab. This is where the Cognito authentication provider will be registered with the Identity pool.
This curl
command works for me:
curl -X POST --data @aws-auth-data.json \ -H 'X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth' \ -H 'Content-Type: application/x-amz-json-1.1' \ https://cognito-idp.us-east-1.amazonaws.com/
Where aws-auth-data.json
is:
{ "AuthParameters" : { "USERNAME" : "[email protected]", "PASSWORD" : "yourpassword" }, "AuthFlow" : "USER_PASSWORD_AUTH", "ClientId" : "75........................" }
The user pool client must allow USER_PASSWORD_AUTH
for this to work - that's an AWS-side setting.
Update:
As you pointed out in the comments below, the authentication flow is documented here: http://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html. This might help to clarify the authentication flow
It is somewhat counter-intuitive, but it does make sense for mobile apps where you don't want to have the user explicitly sign in, but instead carry tokens around for the user. Note that there is an explicit signin (login) API in the AWS Userpools SDK for iOS. I have not used it, but I suppose it is just an alternate client side API to get through the same InitiateAuth()
followed by a RespondToAuthChallenge()
flow. The iOS signin example is documented here - IOS SDK Example: Sign in a User
Original Post:
The Cognito User Pools API documentation for initiating auth is available here
The way it works becomes clearer if you implement a user pools application in one of the SDK's (I did one in Swift for iOS, it is clarified because the logging of the JSON responses is verbose and you can kind of see what is going on if you look through the log).
But assuming I understand your question: In summary you should InitiateAuth()
and the response to that (from the Cognito User Pools server) is a challenge. Then you do RespondToAuthChallenge()
(also documented in that API doc) and the response to that is an authentication result - assuming that the password / session / token were accepted.
The combination of those two things is, I believe, what you are calling LOGIN, and it works like a login. In the API's, the way it is set up is that attempts to get user information when the user is unauthenticated kicks off that InitiateAuth()
and (in iOS anyway) the API does a callback to the code you write to ask for passwords, and send a RespondToAuthChallenge()
request etc.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With