Proof of Concept: Client Grant Flow + JWT Verification + AWS Cognito

Create an AWS Cognito User Pool

1. Go to AWS Cognito User Pools.

2. Specifics:

   • For machine-to-machine, disable MFA enforcement.
   • Enable the Cognito Hosted UI to obtain a Cognito Domain (necessary for communicating with /auth2/token).
   • Create a resource server with the scope read and Resource Server Identifier forms.

3. Save the User Pool ID, Cognito Domain and the region in your .env file.

Running the Server and Saving Client Secrets (Asymmetric Keys and Metadata)

1. Set your AWS keys.
2. Install dependencies:

   npm install

3. Start the server:

   node_modules/.bin/nodemon .

4. In your browser, call: http://localhost:3000/api/createAppClient. This will create the asymmetric keys for signing the JWT and the client ID/secret metadata, which the client will need to store securely.

Client Simulator in Node

Run the client test:

node client_test.js

References

• Create and Verify JWTs with Node
• Node AWS Cognito API Example
• YouTube Tutorial on AWS Cognito
• RFC 7523: JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants
• Protect Public Clients for Amazon Cognito Using an Amazon CloudFront Proxy
• AWS Cognito Token Endpoint Documentation