This project illustrates how to use Cognito as an identity broker for multiple client applications. Using an identity broker simplifies client applications by removing the need to implement the entire authentication process.
In addition to simplifying and unifying the authentication process, this approach has the following benefits:
- Token validity length can vary by each client (hours, days, etc)
- Limit User attribute read/write permissions per client
- Pinpoint analytics per client
- Enabling advanced security per client
- Cognito Identity Broker Web Applications -- Broker and example client application utilizing this API
- Cognito SSO Client -- A client library to facilitate the authorization code flow process for client applications.
- AWS Account
- Node v20.x
- Postman
- Create AWS credentials that have the ability to deploy all resources in this stack. Typically you want a least privilege approach, but to simplify this example, create credentials with admin access so all resources can be created.
- Create an AWS credentials profile in your local
~/.aws/credentialsfile. Alternatively, use an existing profile with the--profilecommand line option during deploy[deploy.dev] aws_access_key_id=xxxxxxxxxxxxxxxx aws_secret_access_key=yyyyyyyyyyyy
- Run the following commands
npm install
npx sls deploy --region us-east-1- Note: The cognito details will be output to the console when the deployment completes. Those details will also be stored in the file
.cognito-details.jsonfor your reference.
- Create a user in your new User Pool
npx sls invoke local --function createUser --data '{"name":"Bob Belcher", "email": "bob@burger.com", "password": "MyPassword1"}'
- Setup Postman collection & environment
- Import
postman/Cognito Identity.postman_collection.json - Import
postman/Cognito Identity.postman_environment.json - Set your Postman environment variables (info available in
.cognito-details.jsonafter deploy)apiUrl- The base URL of your deployed APIbrokerClientId- The Broker client IDclientId1- Client 1 IdclientId2- Client 2 Id
- Turn off automatic redirects in postman. This will allow JSON responses on a GET method that returns a 302 redirect)
Settings --> General --> Headers --> Automatically follow redirects
The Authorization Code Flow process is broken into 3 main proceses:
- User logs in directly with the broker
- User's broker credentials are used to generate a code grant
- User exchanges the code for client-level tokens from the client app
The postman collection has been setup to populate required variables (code, refreshToken) during the auth flow to eliminate the need to copy/paste values.
Note: As an alternative to using postman, you can use the Cognito Identity Broker Web Applications to test the entire authentication flow directly from the browser.
- Send the
Loginrequest. This will:- Return the broker credentials (
id, access, refreshtokens) - Set the tokens in cookies on the broker's Api domain.
- Return the broker credentials (
- Send the
Start Client Auth Flowrequest. This will:- Pass the user's broker credential cookies in the request.
- Return a
codefor exchange.
- Send the
Exchange Code for Tokensrequest. This will:- Return the client credentials (
id, access, refreshtokens)
- Return the client credentials (
- Success! The user has been successfully authenticated with the client.
- To refresh the client's credentials, send the
Refresh Client Tokensrequest. This will:- Return refreshed
idandaccesstokens.
- Return refreshed
The postman collection has been setup with a paired challenge/verifer to simplify the example. If you would like to generate a new pair, use the following command:
npx sls invoke local --function generateChallenge - Use Client 2. - This client is configured w/tokens that are only valid for 1 hour. Client 1 tokens are valid for 2 hours.
- Use an invalid
redirectUriwhen starting the auth flow -- this will result in an error - Use an invalid
codeChallengeorcodeVerifierwhile initiating or exchanging a code for tokens. -- this will result in an error
{
"clientId": "{{brokerClientId}}",
"username": "bob@burger.com",
"password": "MyPassword1"
}{
"requestId": "979b8012-a755-45ad-9cfe-43a51b0e3473",
"requestStartTime": "2024-03-27T19:35:36.766Z",
"requestEndTime": "2024-03-27T19:35:37.193Z",
"success": true,
"data": {
"success": true,
"result": "logged_in",
"authentication": {
"accessToken": "eyJraWQiOiIy...",
"idToken": "eyJraWQiOiJ4Zz...",
"refreshToken": "eyJjdHk...",
"expiresIn": 3600,
"tokenType": "Bearer"
}
}
}This allows a user to login via the Broker's clientId. This is the only client that allows user login. Attempting to use consumer client's id will result in a login failure.
?clientId={{clientId1}}&redirectUri={{redirectUriClient1}}&codeChallenge=xhrMObY-MOMInTN9GTR1HdzdQskQMJeU8CwxaTL0nA8`
clientId- A consumer Client IdredirectUri- A redirectUri that is registered to the client in Cognito. (configured in:serverless-cognito.yml)codeChallenge- (optional) If provided, thecodeVerifiermust be used during the exchange of code for tokens.
{
"requestId": "445fffcb-ec7a-4712-a129-b9e4980d46f1",
"requestStartTime": "2024-03-27T19:35:53.257Z",
"requestEndTime": "2024-03-27T19:35:54.568Z",
"success": true,
"data": {
"success": true,
"result": "code_flow_initiated",
"code": "9039c5dc-c925-4407-9aea-5e857c9c4fd0",
"redirectUri": "http://localhost:3001?code=9039c5dc-c925-4407-9aea-5e857c9c4fd0"
}
}This endpoint uses the GET method for browser redirect support (via a 302 HTTP status code and a location header with the redirectUri populated with the code grant). Additionally it will return a JSON response for non-web clients.
Note: To get the JSON response in Postman, you have to turn off redirect following: Settings --> General --> Headers --> Automatically follow redirects
{
"grantType": "authorization_code",
"clientId": "{{clientId1}}",
"redirectUri": "{{redirectUriClient1}}",
"code": "{{code}}",
"codeVerifier":"utki3vQExiDuyXciGO1ww2mjJL3s0jWU5CNfUIa8rYiOACqVApLb1XPkLsIsrht5ekGYkAMCvEV6zWVKAenwfPgnFrTdRytsMaErKoZ8SU4Cs1gd1aASe2Z3oYAchARJ"
}clientId- A consumer Client IdredirectUri- The same redirectUri used when starting the auth flow processcode- The code returned from starting the auth flow processcodeVerifier- (optional) IfcodeChallengewas sent during the start of the auth flow process, this is required.
{
"requestId": "979b8012-a755-45ad-9cfe-43a51b0e3473",
"requestStartTime": "2024-03-27T19:35:36.766Z",
"requestEndTime": "2024-03-27T19:35:37.193Z",
"success": true,
"data": {
"success": true,
"result": "logged_in",
"authentication": {
"accessToken": "eyJraWQiOiIy...",
"idToken": "eyJraWQiOiJ4Zz...",
"refreshToken": "eyJjdHk...",
"expiresIn": 3600,
"tokenType": "Bearer"
}
}
}{
"grantType": "refresh_token",
"clientId": "{{clientId1}}",
"refreshToken": "{{refreshToken}}"
}clientId- A consumer Client IdrefreshToken- A valid/non-expired consumer client refresh token
{
"requestId": "47a775d7-d8ca-48eb-9563-c662b5900407",
"requestStartTime": "2024-03-27T19:36:47.044Z",
"requestEndTime": "2024-03-27T19:36:47.261Z",
"success": true,
"data": {
"success": true,
"result": "refreshed",
"authentication": {
"accessToken": "eyJraWQiOiIyc1V...",
"idToken": "eyJraWQiOiJ4ZzlHMVdlW...",
"expiresIn": 7200,
"tokenType": "Bearer"
}
}
}This allows the consumer client application to request new id and access tokens from the broker. A new refresh token will not be returned. The only way to get a new refresh token is to use the authorization_code grant type.
This project has a suite of unit tests that can be run with:
npm run test- This example uses a
username/passwordapproach for login. This is to keep this example focused on the broker concept. The preferred approach would be using SRP (Secure Remote Password). - To remove the entire stack, run the following command:
npx sls remove