-
Notifications
You must be signed in to change notification settings - Fork 2
Getting Cognito JWT Tokens in Command Line
The following approaches can be used to get JWT tokens in command line, for a user created in a Cognito User Pool.
Approach 1: Using Curl Command
Approach 3: Using Python Requests (in Jupyter Notebooks etc.)
Approach 4: Using AWS SDK for Python - Boto3 (in Jupyter Notebooks etc.)
- When creating an App Client under the Cognito User Pool, make sure to select the option:
"Don’t generate a client secret"
(this cannot be changed after creating the App Client). - Make sure that the
ALLOW_USER_PASSWORD_AUTH
option is enabled for this App Client.
-
Create a JSON file called
auth.json
as follows with,- The username and password of the user
- The ClientId of the related App Client configured in Cognito
Replace
<COGNITO_CLIENT_ID>
,<USER_NAME>
and the<USER_PASSWORD>
with the correct values. The relevant COGNITO_CLIENT_ID can be obtained from the Unity CS team.
auth.json
{
"AuthParameters" : {
"USERNAME" : "<USER_NAME>",
"PASSWORD" : "<USER_PASSWORD>"
},
"AuthFlow" : "USER_PASSWORD_AUTH",
"ClientId" : "<COGNITO_CLIENT_ID>"
}
- Execute the curl command as follows (make sure to use the correct AWS Region instead of the
<AWS_REGION>
below).
curl -X POST --data @auth.json \
-H 'X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth' \
-H 'Content-Type: application/x-amz-json-1.1' \
https://cognito-idp.<AWS_REGION>.amazonaws.com/
-
Make sure that the AWS CLI is installed and configured in your local environment.
-
Execute the following command (Replace
<COGNITO_CLIENT_ID>
,<USER_NAME>
,<USER_PASSWORD>
and<AWS_REGION>
with correct values. The relevant COGNITO_CLIENT_ID can be obtained from the Unity CS team).
aws cognito-idp initiate-auth --region <AWS_REGION> --auth-flow USER_PASSWORD_AUTH --client-id <COGNITO_CLIENT_ID> --auth-parameters USERNAME=<USER_NAME>,PASSWORD=<USER_PASSWORD>
-
Create a JSON file called
auth.json
as follows with,- The username and password of the user
- The ClientId of the related App Client configured
Replace
<COGNITO_CLIENT_ID>
,<USER_NAME>
and the<USER_PASSWORD>
with the correct values. The relevant COGNITO_CLIENT_ID can be obtained from the Unity CS team.
auth.json
{
"AuthParameters" : {
"USERNAME" : "<USER_NAME>",
"PASSWORD" : "<USER_PASSWORD>"
},
"AuthFlow" : "USER_PASSWORD_AUTH",
"ClientId" : "<COGNITO_CLIENT_ID>"
}
-
If using a Jupyter Notebook, upload the above
auth.json
to Jupyter Notebook. -
Execute the following python code to get the token (make sure to use the correct AWS Region instead of the
<AWS_REGION>
below).
import requests
import json
url = 'https://cognito-idp.<AWS_REGION>.amazonaws.com'
# Read auth.json file
auth_file = open("auth.json")
payload = json.load(auth_file)
# Set headers
headers = {
'X-Amz-Target': 'AWSCognitoIdentityProviderService.InitiateAuth',
'Content-Type': 'application/x-amz-json-1.1'
}
# POST request
res = requests.post(url, json=payload, headers=headers)
# Print all tokens
print(res.json())
# Print access token
access_token = res.json()['AuthenticationResult']['AccessToken']
print(access_token)
- Create a JSON file called
auth_params.json
as follows with the username and password of the user. (Replace<USER_NAME>
and the<USER_PASSWORD>
with the correct values).
auth_params.json
{
"USERNAME" : "<USER_NAME>",
"PASSWORD" : "<USER_PASSWORD>"
}
-
If using a Jupyter Notebook, upload the above
auth_params.json
to Jupyter Notebook. -
Execute the following python code to get the token (Replace
<AWS_REGION>
and the<COGNITO_CLIENT_ID>
with the correct values).
import boto3
import json
client = boto3.client('cognito-idp', region_name='<AWS_REGION>')
# Read auth_params.json file
auth_file = open("auth_params.json")
auth_params = json.load(auth_file)
# Get tokens from Cognito
response = client.initiate_auth(
AuthFlow='USER_PASSWORD_AUTH',
AuthParameters=auth_params,
ClientId='<COGNITO_CLIENT_ID>'
)
# Print all tokens
print(response)
# Print access token
access_token = response['AuthenticationResult']['AccessToken']
print(access_token)
The both of above approaches will return a response similar the following response with a access_token
, id_token
and a refresh_token
for the given user.
"AuthenticationResult": {
"AccessToken": "eyJsdhjdsjjkkjkjhjk.........",
"ExpiresIn": 3600,
"TokenType": "Bearer",
"RefreshToken": "eyJjwdwd............",
"IdToken": "eyGhjwm....."
}
If you try to get a token for an App Client, which has a client secret, then you will see an error similar to the following error.
An error occurred (NotAuthorizedException) when calling the InitiateAuth operation: Client 12zc345vvxcv232678vcxv90 is configured for secret but secret was not received
To resolve this, please add SECRET_HASH also as one of the AuthParameters, in addition to the USERNAME and PASSWORD.
The SECRET_HASH can be calculated as explained in the following page. https://aws.amazon.com/premiumsupport/knowledge-center/cognito-unable-to-verify-secret-hash/
After that, you can use SECRET_HASH as shown in the following examples.
Example 1:
aws cognito-idp initiate-auth --region us-west-2 --auth-flow USER_PASSWORD_AUTH --client-id 12zc345vvxcv232678vcxv90 --auth-parameters USERNAME=user1,PASSWORD=Changeme528*,SECRET_HASH=Jnd8398hdjnjjsd//Ghjskkcdksd/r4=
Example 2:
"AuthParameters" : {
"USERNAME" : "user1",
"PASSWORD" : "Changeme528*",
"SECRET_HASH" : "Jnd8398hdjnjjsd//Ghjskkcdksd/r4="
},
TEST CUSTOM FOOTER
TEST