-
Notifications
You must be signed in to change notification settings - Fork 2
Getting Cognito JWT Tokens in Command Line
The following approaches can be used to get JWT tokens in command line, for a user created in a Cognito User Pool.
- When creating an App Client under the Cognito User Pool, make sure to select the option:
"Don’t generate a client secret"(this cannot be changed after creating the App Client). - Make sure that the
ALLOW_USER_PASSWORD_AUTHoption is enabled for this App Client.
- Create a JSON file called
auth.jsonas follows with,- The username and password of the user
- The ClientId of the related App Client configured in Cognito
Replace <COGNITO_CLIENT_ID>, <USER_NAME> and the <USER_PASSWORD> with the correct values.
auth.json
{
"AuthParameters" : {
"USERNAME" : "<USER_NAME>",
"PASSWORD" : "<USER_PASSWORD>"
},
"AuthFlow" : "USER_PASSWORD_AUTH",
"ClientId" : "<COGNITO_CLIENT_ID>"
}- Execute the curl command as follows (make sure to use the correct AWS Region instead of the
<AWS_REGION>below).
curl -X POST --data @auth.json \
-H 'X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth' \
-H 'Content-Type: application/x-amz-json-1.1' \
https://cognito-idp.<AWS_REGION>.amazonaws.com/-
Make sure that the AWS CLI is installed and configured in your local environment.
-
Execute the following command (Replace
<COGNITO_CLIENT_ID>,<USER_NAME>,<USER_PASSWORD>and<AWS_REGION>with correct values).
aws cognito-idp initiate-auth --region <AWS_REGION> --auth-flow USER_PASSWORD_AUTH --client-id <COGNITO_CLIENT_ID> --auth-parameters USERNAME=<USER_NAME>,PASSWORD=<USER_PASSWORD>- Create a JSON file called
auth.jsonas follows with,- The username and password of the user
- The ClientId of the related App Client configured
Replace <COGNITO_CLIENT_ID>, <USER_NAME> and the <USER_PASSWORD> with the correct values.
auth.json
{
"AuthParameters" : {
"USERNAME" : "<USER_NAME>",
"PASSWORD" : "<USER_PASSWORD>"
},
"AuthFlow" : "USER_PASSWORD_AUTH",
"ClientId" : "<COGNITO_CLIENT_ID>"
}-
If using a Jupyter Notebook, upload the above
auth.jsonto Jupyter Notebook. -
Execute the following python code to get the token (make sure to use the correct AWS Region instead of the
<AWS_REGION>below).
import requests
import json
url = 'https://cognito-idp.<AWS_REGION>.amazonaws.com'
# Read auth.json file
auth_file = open("auth.json")
payload = json.load(auth_file)
# Set headers
headers = {
'X-Amz-Target': 'AWSCognitoIdentityProviderService.InitiateAuth',
'Content-Type': 'application/x-amz-json-1.1'
}
# POST request
res = requests.post(url, json=payload, headers=headers)
# Print all tokens
print(res.json())
# Print access token
access_token = res.json()['AuthenticationResult']['AccessToken']
print(access_token)- Create a JSON file called
auth_params.jsonas follows with the username and password of the user.
Replace <USER_NAME> and the <USER_PASSWORD> with the correct values.
auth_params.json
{
"USERNAME" : "<USER_NAME>",
"PASSWORD" : "<USER_PASSWORD>"
}-
If using a Jupyter Notebook, upload the above
auth_params.jsonto Jupyter Notebook. -
Execute the following python code to get the token (Replace
<AWS_REGION>and the<COGNITO_CLIENT_ID>with the correct values).
import boto3
import json
client = boto3.client('cognito-idp', region_name='<AWS_REGION>')
# Read auth_params.json file
auth_file = open("auth_params.json")
auth_params = json.load(auth_file)
# Get tokens from Cognito
response = client.initiate_auth(
AuthFlow='USER_PASSWORD_AUTH',
AuthParameters=auth_params,
ClientId='<COGNITO_CLIENT_ID>'
)
# Print all tokens
print(response)
# Print access token
access_token = response['AuthenticationResult']['AccessToken']
print(access_token)The both of above approaches will return a response similar the following response with a access_token, id_token and a refresh_token for the given user.
"AuthenticationResult": {
"AccessToken": "eyJsdhjdsjjkkjkjhjk.........",
"ExpiresIn": 3600,
"TokenType": "Bearer",
"RefreshToken": "eyJjwdwd............",
"IdToken": "eyGhjwm....."
}TEST CUSTOM FOOTER
TEST