cognito return me id_token: how can I obtain a code or access and refresh token?

Hi realtebo,

Clarifying the Issue

This question revolves around obtaining an authorization code or token pair (access and refresh) from Amazon Cognito. You mentioned that you already receive an id_token through a custom UI and SSO but are seeking a way to manually call an API to retrieve the authorization code or the access and refresh tokens.

Let's dive into this now.

---

Our Solution

You can achieve this by leveraging Amazon Cognito's OAuth2 Authorization Code Flow or Resource Owner Password Grant Flow, depending on your architecture. Since you already receive an id_token but need the access_token and refresh_token, here are the main approaches:

1. Authorization Code Flow:
   You can redirect your custom UI to the Cognito Authorization endpoint to retrieve an authorization code. You then exchange this code for the token pair (id_token, access_token, and refresh_token).
   Example token endpoint API call:

   POST /oauth2/token HTTP/1.1
   Host: <your-domain>.auth.<region>.amazoncognito.com
   Content-Type: application/x-www-form-urlencoded
   
   grant_type=authorization_code&
   client_id=<your-client-id>&
   code=<authorization-code>&
   redirect_uri=<your-redirect-uri>

2. Direct Resource Owner Password Grant (ROPG):
   If you need tokens directly from the API without a full redirect flow, you can use the username and password to call the token endpoint. Ensure this flow aligns with your security requirements.
   Example API call:

   POST /oauth2/token HTTP/1.1
   Host: <your-domain>.auth.<region>.amazoncognito.com
   Content-Type: application/x-www-form-urlencoded
   
   grant_type=password&
   client_id=<your-client-id>&
   username=<your-username>&
   password=<your-password>&
   scope=openid

---

I hope this approach works for your use case. Let me know if you need deeper details or further clarification!

Cheers, Aaron 😊