What is the REST (or CLI) API for logging in to Amazon Cognito user pools

Question

How do i make logins happen via Amazon Cognito REST APIs (for user pools) on platforms for which there is no official SDK? - Note that i am asking

Answer 1

One of the developers from AWS Cognito team here.

To add to @md-abdul-munim's answer, we recommend using one of the client side SDKs. If you are building a REST API and then a front end which talks to those APIs, it is better to just integrate Cognito from your front end.

If you absolutely need to use Cognito from a back end, the authentication APIs will be available with our GA release. In our Cognito User Pools beta release authentication is only available through client SDKs.

Answer 2

Sharing curl direct may help to anyone

curl -X POST --data @user-data.json \
-H 'X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth' \
-H 'Content-Type: application/x-amz-json-1.1' \
https://cognito-idp.<just-replace-region>.amazonaws.com/

file json user-data.json

{"AuthParameters" : {"USERNAME" : "sadfsf", "PASSWORD" : "password"}, "AuthFlow" : "USER_PASSWORD_AUTH", "ClientId" : "csdfhripnv7sq027kktf75"}

make sure your app client does not contain app-secret or create new app without secret. also inside app enable USER_PASSWORD_AUTH

Answer 3

Update:

As you pointed out in the comments below, the authentication flow is documented here: http://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html. This might help to clarify the authentication flow

It is somewhat counter-intuitive, but it does make sense for mobile apps where you don't want to have the user explicitly sign in, but instead carry tokens around for the user. Note that there is an explicit signin (login) API in the AWS Userpools SDK for iOS. I have not used it, but I suppose it is just an alternate client side API to get through the same InitiateAuth() followed by a RespondToAuthChallenge() flow. The iOS signin example is documented here - IOS SDK Example: Sign in a User

Original Post:

The Cognito User Pools API documentation for initiating auth is available here

The way it works becomes clearer if you implement a user pools application in one of the SDK's (I did one in Swift for iOS, it is clarified because the logging of the JSON responses is verbose and you can kind of see what is going on if you look through the log).

But assuming I understand your question: In summary you should InitiateAuth() and the response to that (from the Cognito User Pools server) is a challenge. Then you do RespondToAuthChallenge() (also documented in that API doc) and the response to that is an authentication result - assuming that the password / session / token were accepted.

The combination of those two things is, I believe, what you are calling LOGIN, and it works like a login. In the API's, the way it is set up is that attempts to get user information when the user is unauthenticated kicks off that InitiateAuth() and (in iOS anyway) the API does a callback to the code you write to ask for passwords, and send a RespondToAuthChallenge() request etc.

Answer 4

From what you have discussed, I consider you are trying to do that from a web frontend. Cause, cognito is providing you the necessary backend support and it expects you to communicate(e.g. authenticate, sign up etc.) from a presentation layer- that's why you found SDK's for different mobile platforms. They also have SDK for web app- the access is available via their Javascript SDK.

Here's a detailed tutorial to achieve what you have asked from a web frontend using their JS SDK- Accessing Your User Pools using the Amazon Cognito Identity SDK for JavaScript

Answer 5

Just to add to @andrewjj's answer. You might get back a challenge (NEW_PASSWORD_REQUIRED) as InitiateAuth response. It is when you are being asked to change passport on initial signin.

You can use Postman or curl command. This example expects Postman being used.

1. InitiateAuth - This step is same as @andrewjj

Add this to Body as raw values

{
    "AuthParameters": {
        "USERNAME": "youremail@example.com",
        "PASSWORD": "temporary-password",
    },
    "AuthFlow": "USER_PASSWORD_AUTH",
    "ClientId": "2s........................"
}

Set headers

X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth
Content-Type: application/x-amz-json-1.1

Send a request to https://cognito-idp.us-east-1.amazonaws.com/ You might have to change region.

If you receive this response then your are ok, otherwise continue with step 2.

{
    "AuthenticationResult": {
        "AccessToken": "eyJra........",
        "ExpiresIn": 3600,
        "IdToken": "eyJra........",
        "RefreshToken": "eyJjd........",
        "TokenType": "Bearer"
    },
    "ChallengeParameters": {}
}

2. RespondToAuthChallenge - this is new step

In case you receive Challenge back like this one:

{
    "ChallengeName": "NEW_PASSWORD_REQUIRED",
    "ChallengeParameters": {
        "USER_ID_FOR_SRP": "1231-......",
        "requiredAttributes": "[]",
        "userAttributes": "{\"email_verified\":\"true\",\"email\":\"youremail@example.com\"}"
    },
    "Session": "Sfas......"
}

You need to set new password. Add this to Body as raw values

{
    "ChallengeName": "NEW_PASSWORD_REQUIRED",
    "ChallengeResponses": {
        "USERNAME": "youremail@example.com",
        "NEW_PASSWORD": "newpassword"
    },
    "ClientId": "2s........................",
    "Session": "Sfas......(use one from the InitiateAuth response)"
}

Set headers

X-Amz-Target: AWSCognitoIdentityProviderService.RespondToAuthChallenge
Content-Type: application/x-amz-json-1.1

Send a request to https://cognito-idp.us-east-1.amazonaws.com/ You might have to change region.

Do step 1 again to receive tokens.

Answer 6

I have a similar problem and was wondering how to integrate Cognito within an Elixir backend and found this library: https://github.com/aws-beam/aws-elixir

From what I can understand by reading its source code, they ultimately make a POST request that contains the header "X-Amz-Target": "AWSCognitoIdentityProviderService.#{name_of_api_action}" (this is here: https://github.com/aws-beam/aws-elixir/blob/master/lib/aws/cognito_identity_provider.ex#L564). That's without the authorization headers, they are added elsewhere, but I found it interesting. The functions that construct the request URL are following, so you should be able to get an idea of the endpoint that gets called.

I must say I tried following this article written in Japanese - https://qiita.com/yujikawa/items/e79929ed14277102f4b8, and couldn't manage to make it work, maybe because I was not sure what the proper AWS_ENDPOINT environment variable should be. I am currently thinking of trying out the Ruby SDK, from the looks of the documentation it seems fine. But, nonetheless, this information may still help someone.