Search code examples
amazon-web-servicesamazon-cognitofederated-identityaws-java-sdk

AWS Cognito - Credentials Issue

I am trying to use AWS Cognito to authenticate (using Google) and authorise users, with the intention of assigning IAM roles for the authorised users.

I have followed the below steps till now

  1. Use the authorization end point to fire up Google OAuth process http://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html

    I am using "Grant flow" I receive a such as code=b3e8bca6-5a01-45db-b4c6-cd6900d0xxxx

  2. Make a post request to oath/token http://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html

    I receive the following information:

    "id_token": "eyJraWQiOiJJR2NVdHJcL3pOa3pQK1lre...........",
"access_token": "eyJraWQiOiJCbWx0cjJvMnJlVGhHW..........",
"refresh_token": "eyJjdHkiOiJKV1QiLCJlbmMiOi............",
"expires_in": 3600,
"token_type": "Bearer"

  3. Try to fetch the AWS credntions using the CognitoIdentityCredentials

    AWS.config.credentials = new AWS.CognitoIdentityCredentials({
    IdentityPoolId: environment.identityPoolId, // Federated ID eu-west-2:af47703f-350c-4018-ae6a-xxxxxx
    RoleArn: environment.roleArn,// IAM role
    Logins: { 'accounts.google.com': data.id_token },
});

AWS.config.getCredentials((error) => {
    if(error) console.log("Error: ", error);
    this.creds = AWS.config.credentials;
});

I get a bad request 500 error

{"__type":"NotAuthorizedException","message":"Invalid login token. Issuer doesn't match providerName"}

Couple of questions

  1. Is the sequence of steps followed correct?
  2. How to I get a CongnitoUserId ? id_token is a very long string, but not sure what information can I extract from it?
  3. Finally how to I get accessKey to make AWS calls?

Any help or direction will be much appreciated.

Thanks

Solution

  • Is the sequence of steps followed correct?

    I believe so.

    id_token is a very long string, but not sure what information can I extract from it?

    Both the id_token and access_token are JWTs. You can base64 decode the strings in between the dots to extract the token's contents. Typically we're concerned with the middle section, or payload.

    You can paste these tokens into a decoder like this one, and view the contents in your browser. In javascript, atob() works as you'd expect.

    I'm not sure what user id you're after, but if the username suffices, the id_token contains a cognito:username key.

    Finally how to I get accessKey to make AWS calls?

    Change the provider in your Logins map.

    If you were talking directly to Google, as opposed to talking to Google through Cognito (via /oauth2/authorize), you would use accounts.google.com in the Logins map as your example shows.

    However, the tokens you're getting back are from Cognito, not from Google. Both tokens contain an iss (issuer) key, which is (most likely) your User Pool Id. This is the value you should use in the Logins map. Assuming the issuer is your User Pool:

    Logins: {
    'cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxx': token
}