Cognito OAuth2 access code handling with a desktop app
I have a command-line app that I want to authenticate against AWS Cognito using OAuth2 with access code flow and hosted login UI. For the similar case, Google Cloud docs explicitly recommend using http://localhost:N redirect URI, so that the application can handle the access code after authentication:
This authorization flow is similar to the one used for web server applications. The main difference is that installed apps must open the system browser and supply a local redirect URI to handle responses from Google's authorization server.
However, with Cognito localhost URIs are only allowed/recommended for testing purposes:
One alternative solution would be using an "out-of-browser" URI urn:ietf:wg:oauth:2.0:oob to display the access code in the browser and make the user copy-paste it to the app, but Cognito doesn't seem to support it.
Currently I am leaning towards running a custom OAuth2 callback handler that would only tell the user to copy-paste the access code, but I don't find it really friendly from the Cognito side.
So, the question:
- What's the recommended way to authenticate desktop / command-line apps with Cognito with minimal user interference?
- What can go wrong if I ignore the Cognito's recommendation about the localhost redirect URI?
LOOPBACK URI
In a desktop app you can use localhost HTTP URLs to receive the authorization response, and that is one valid technique.
The Cognito warning is about using localhost URLs for web app responses, which of course is only suitable for a developer PC. You can ignore the warning when using loopback desktop apps.
OUT OF BROWSER URI
This was used a few years ago to read an authorization response from a web view and is no longer recommended in OAuth for Native Apps.
PRIVATE URI SCHEME
The second valid rechnique is the option I prefer, since it feels more integrated. It involves receiving the authorization response via a URL of the following form, and registering the scheme with the OS to point to your app:
- com.mycompany.mydesktopapp:/callback
RESOURCES OF MINE
If it helps, I have a couple of desktop samples / blog posts that use Cognito. You can run the samples on your PC, to see which you prefer:
- What is the purpose of authorization code in OAuth
- JWT validation failure error in azure apim
- How to authenticate resource owner with JWT when sending request to /oauth2/authorize?
- Some scopres missing from Google Gmail API oAuth Consent Flow
- passport-oauth2 client how to use profile data received
- Microsoft as OAuth2 provider for personal accounts does not issue JWT access tokens
- How access Azure APIs
- Chrome identity launchWebAuthFlow only opens empty callback page
- Limiting the scopes of an OAuth 2.0 flow
- Is Endpoint Security Authentication in WSO2 APIM Done per API or per request?
- Why do i need to specify redirect_uri if i am authenticating from server side?
- Error 400: invalid_scope with Postman and Google OAuth2
- Issues Adding SMTP.Send Permission to Azure Application for Office 365 SMTP
- PHP - How to get OAuth 2.0 Token
- UPS Outh Rating API return Invalid Authentication Information
- How to store sensitive data in React Native or expo code ? ( with Keychain and Keystore )
- How to get Optum sandbox to authenticate with OAuth 2.0 using Java and okhttp
- Spring Boot redirection back to login page
- New Google place api using google OAuth, ask failed to refresh token
- Authentication Problems using Google's ARCore API
- Getting OAuth code challenge on loopback server
- How do I solve audience (aud) invalid claim error for downstream api service?
- oauth 2 parameters can only have a single value: scope
- #oauth2 security expressions on method level
- Calling spring authorization server OAuth2 REST endpoints
- Google AdWords API authorization raising AdsCommon::Errors::AuthError
- Google OAuth 2 Error 400: redirect_uri_mismatch but redirect uri is compliant and already registered in Google Cloud Console
- Azure AD:Authenticate Devices
- Passport - Node.js not returning Refresh Token
- AWS Cognito: Missing Scopes in Access Token with Custom UI and Device Remember Functionality for MFA