By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How do I obtain an ID token from Cognito without hosted UI

0

I'm developing an API that will be used by several companies in their IT landscape. I'm looking to use Cognito as user pool for authenticating API Gateway requests. I've created polls and API and have obtained an ID token in postman for proof-of-concept, but I can't seems to figure out how to get an ID token without using the hosted UI. As my customers developers will integrate with my API in their integration platforms, obtaining a token is something that must be possible without loggin in to a webpage.

Topics
ServerlessFront-End Web & MobileNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon API GatewayAmazon Cognito
Language
English
perage
asked 7 months ago2261 views
2 Answers
1

Hello.

You can obtain an ID token from Amazon Cognito without using the hosted UI by performing the OAuth 2.0 token endpoint request. You can use the "password" grant type if you want to exchange a user's username and password for tokens directly.

Below are the steps to obtain an ID token using the AWS CLI and an HTTP request.

Using AWS CLI You can use the initiate-auth command in AWS CLI to initiate the authentication process.

  • Install AWS CLI: Make sure you have the AWS Command Line Interface installed.
  • Configure AWS CLI: Run aws configure to set your credentials and default region.

Run the initiate-auth Command:

aws cognito-idp initiate-auth \
  --auth-flow USER_PASSWORD_AUTH \
  --auth-parameters USERNAME=your_username,PASSWORD=your_password \
  --client-id your_app_client_id \
  --region your_aws_region

Using HTTP Request Install a Tool for Sending HTTP Requests: Install a tool like curl or use a platform like Postman.

curl -X POST \
  --url https://your_domain.auth.your_region.amazoncognito.com/oauth2/token \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'grant_type=password' \
  --data-urlencode 'client_id=your_app_client_id' \
  --data-urlencode 'username=your_username' \
  --data-urlencode 'password=your_password' \
  --data-urlencode 'scope=email openid'

Regards, Andrii

profile picture
EXPERT
Andrii S
answered 7 months ago
  • perage
    7 months ago

    Hi Andrii! With your example, I only get "unsupported grant type". I can seems to find anything around a password grant type.

0

If you want to use OAuth you have to use hosted UI. Cognito supports grant types of : Authorization code grant, Implicit grant, Client credentials. It does not support Resource owner password credentials. However from your description you don't need/want to use OAuth. Refer to "User pool authentication flow" https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html to select an authentication flow that is suitable for your use case (the application that your customer develops).

AWS
Xuejun Li
answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content