By using AWS re:Post, you agree to the Terms of Use

Cognito USER_SRP_AUTH Flow using CLI

0

I'm testing/learning about Cognito before I implement it in my app. I have somewhat of a handle on the USER_PASSWORD_AUTH authorization flow, which seems to be the simplest, but I don't want to use that in my app, but rather the USER_SRP_AUTH flow. Before I start coding in the JavaScript SDK, which I'm not very experienced in, I'd like to use the cli in a shell script to demonstrate to myself that I understand how to use this flow. I currently have a shell script that implements the USER_PASSWORD_AUTH flow to set the AWS_* credential env vars using the cli on Linux, and now I'd like a similar script that uses the USER_SRP_AUTH flow. But, I'm not seeing any examples or tutorials that use the cli.

My current current script that uses USER_PASSWORD_AUTH is below, simplified to replace potentially sensitive values with "<my sensitive value ...>" placeholders. Can you advise on the changes that would be needed to implement USER_SRP_AUTH?

Thanks.

#!/bin/ksh93

## ----------------------------------------
## source this script to set the AWS*
## environment vars so the cli will operate
## as the specified Cognito user
## ----------------------------------------

if [[ $# -ne 1 ]] ; then
    print -u2 "Usage: . $(basename ${.sh.file}) cognito_user"
    return 1
fi

## ----------------------------------------
## args
## ----------------------------------------

cognito_user=$1

## ----------------------------------------
## initiate-auth
## ----------------------------------------

initiate_output=$(aws cognito-idp \
                      initiate-auth \
                      --auth-flow USER_PASSWORD_AUTH \
                      --auth-parameters USERNAME=$cognito_user,PASSWORD=<my secret password> \
                      --client-id <my user pool app client id> \
                      --region us-east-1)
if [[ $? -ne 0 ]] ; then
    print -u2 "Failed to initiate auth."
    return 1
fi

id_token=$(print "$initiate_output" |grep '"IdToken"' |awk '{print $2}' |tr -d '",')

## ----------------------------------------
## get-id
## ----------------------------------------

getid_output=$(aws cognito-identity \
                   get-id \
                   --identity-pool-id <my federated identity pool id> \
                   --region us-east-1 \
                   --logins cognito-idp.<us-east-1.amazonaws.com/<my user pool id>=$id_token)
if [[ $? -ne 0 ]] ; then
    print -u2 "Failed to get identity."
    return 1
fi

identity_id=$(print "$getid_output" |grep IdentityId |awk '{print $2}' |tr -d '"')

## ----------------------------------------
## get-credentials and set env
## ----------------------------------------

get_credentials_output=$(aws cognito-identity \
                             get-credentials-for-identity \
                             --region=us-east-1 \
                             --identity-id=$identity_id \
                             --logins cognito-idp.us-east-1.amazonaws.com/<my user pool id>=$id_token)
if [[ $? -ne 0 ]] ; then
    print -u2 "Failed to get credentials for identity."
    return 1
fi

export AWS_ACCESS_KEY_ID=$(print "$get_credentials_output" |grep AccessKeyId |awk '{print $2}' |tr -d '",')
export AWS_SECRET_ACCESS_KEY=$(print "$get_credentials_output" |grep SecretKey |awk '{print $2}' |tr -d '",')
export AWS_SESSION_TOKEN=$(print "$get_credentials_output" |grep SessionToken |awk '{print $2}' |tr -d '",')

## ----------------------------------------
## done (assume script is sourced)
## ----------------------------------------

return
1 Answers
1

If I were you I would look in to AdminInitiateAuth instead of using USER_SRP_AUTH since it offloads some of the more complex pieces of the SRP calculations to Cognito. See the answer here for more details.

answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions