Skip to content

Configuring User Access with AWS Cognito

User Pool

Log into Amazon Cognito and create a user pool.

Cognito List

Create a Userpool for a Single-page application (SPA), provide a name and define the options for the login attribute and sign-up.

Cognito UP Create

Afterwards note down the User pool ID.

Cognito UP Details

Identity Pool

Next, open the Identity Pool Listing and create an identity pool.

identity pool list

Pool Trust

Select Authenticated access and Amazon Cognito user pool.

identity pool create 1

Permissions

Create a new (or an existing IAM role).

identity pool create 2

Connect Provider

Select the pool and app client ID.

identity pool create 3

Properties

Pick a name for the identity pool.

identity pool create 4

Connect Cognito to API

Gather Details

Go to the Identity Pool overview, note down the User pool ID, and click on App client in the menue.

IP details menue

The app client list shows the Client ID.

App Client List

Next, head over to the Identity pools list and note down the Identity pool ID.

IP listing

Config API

Now you got all the information to fill out the details. Click the amazon logo on the top right of you API website.

API unconfigured

Fill out the form and confirm.

SignUp

Afterwards you are forwarded to log in (or sig up).

Sign In Create Account
Create Account Create Account

Create an account. You will receive a confirmation code as a final step.

logged in

Afterwards you are logged in as a user.

Disable Self Sign Up

As you just wittnest you were able to sign up yourself. To prevent strangers from signing up head over to the User Pool again, and disable Self-service sign-up under the Sign-up menue.

disable sign-up

Click Edit and disable Self-registration.

Self registration

Create Bearer Token

Since Cognito is now enabled, you need a token to access the API endpoint.

Go back to the User pool Details and click on App Clients.

AC details

Click Edit and enable the first four auth methods.

AC auth

Now use the aws-cli to create a token.

aws cognito-idp admin-initiate-auth \
    --user-pool-id <poolID> \
    --client-id <clientID> \
    --auth-flow ADMIN_USER_PASSWORD_AUTH \
    --auth-parameters "USERNAME=christian.xxxx@memverge.com,PASSWORD=XYZ"

The output looks like this.

$ aws cognito-idp admin-initiate-auth     --user-pool-id ap-south-xxx     --client-id yyy     --auth-flow ADMIN_USER_PASSWORD_AUTH     --auth-parameters "USERNAME=christian.xxxx@memverge.com,PASSWORD=XYZ"
{
    "ChallengeParameters": {},
    "AuthenticationResult": {
        "AccessToken": "TOKEN1",
        "ExpiresIn": 3600,
        "TokenType": "Bearer",
        "RefreshToken": "TOKEN2",
        "IdToken": "TOKEN3"
    }
}

Now, you are able to access the API server via curl again.

curl -sX GET http://127.0.0.1:8080/api/v1/config -H "Content-Type: application/json" \
  -H "Authorization: bearer TOKEN1"|jq .