Can I use a JWT from cognito (IdP is Salesforce with oidc) to query Salesforce API?

Question

So, after a lot of Googling and tests on my side, I cannot figure out if this is even possible (kind of a newbie here with oidc + cognito + salesforce).

I have a need to authenticate my users via SSO with Salesforce as an identity provider. Then, I need to query for that specific user's information via Salesforce API. I want to avoid an extra oauth flow if possible since theoretically I have my users logged in already.

The scenario is:

1. I have configured Cognito with Salesforce as my identity provider via Open ID Connect.
2. I managed to perform the auth flow correctly and I end with a code that I can exchange for an id_token, access_token and a refresh_token from cognito's /oauth2/token endpoint.
3. Now the question is IF I can use the JWT tokens I got from cognito to query Salesforce API.

I can elaborate and provide sample configuration if needed. Thanks a lot for any help on this :)

Answer 1

In OAuth, the data owner hosts an Authorization Server / token issuer alongside its APIs:

• So Salesforce access tokens must be used to get Salesforce data
• Similarly a client must use access tokens from your Cognito instance to get data from your own APIs

EMBEDDED TOKEN PATTERN

This is the design pattern you need, and it is explained in this Curity article. When Cognito federates to Salesforce, it will complete a code flow for the user and get Salesforce tokens.

It should then be possible to include the Salesforce access token as a claim in the Cognito access token. Your APIs can extract it later on, then forward it to Salesforce on behalf of the user.

COGNITO CAPABILITIES?

Unfortunately not all Authorization Servers have this level of extensibility, so I doubt that Cognito supports this, but it is worth investigating. It is not an uncommon requirement though, and Cognito does allow you to get Identity Pool tokens to represent user specific AWS resources in a similar way.