As we discussed previously, the client-side authentication flow uses non-admin APIs.
The output for most of the commands will be similar to the ones that we discussed in the recipe Server-side authentication flow, and need not be repeated here. Please refer to that recipe for the screenshots.
Follow the steps to demonstrate the client-side authentication flow. Remember to replace the user-pool-id value with your user pool id.
- For creating the user, we will still use the admin APIs, as follows:
aws cognito-idp admin-create-user
--user-pool-id us-east-1_fYsb1Gyec
--username testuser2
--temporary-password Passw0rd$
--profile admin
The default user status will be FORCE_CHANGE_PASSWORD, as we saw in the previous recipe.
- Initiate the authentication flow, as follows:
aws cognito-idp initiate-auth
--client-id 3jiv1fi1rspotsst9m19hktu58
--auth-flow USER_PASSWORD_AUTH
--auth-parameters USERNAME=testuser2,PASSWORD=Passw0rd$
As this is a non-admin API, we do not have to specify the admin profile from the command line. The initiate auth command will return a NEW_PASSWORD_REQUIRED challenge and a session ID.
- Send a response to the auth challenge, as follows:
aws cognito-idp respond-to-auth-challenge
--client-id 3jiv1fi1rspotsst9m19hktu58
--challenge-name NEW_PASSWORD_REQUIRED
--challenge-responses USERNAME=testuser2,NEW_PASSWORD=NewPass0123$
--session <session-id>
If it is successful, this command will return a response with three tokens: an access token, a refresh token, and an ID token. We can try to run the initiate auth command with the new password, and check that it does not ask for the password challenge.
- From now on, we can also use the refresh token to regenerate the access token and the ID token:
aws cognito-idp initiate-auth
--client-id 3jiv1fi1rspotsst9m19hktu58
--auth-flow REFRESH_TOKEN_AUTH
--auth-parameters REFRESH_TOKEN=<refresh token>
- To clean up, delete the user pool client, as follows:
aws cognito-idp delete-user-pool-client
--user-pool-id us-east-1_fYsb1Gyec
--client-id 3jiv1fi1rspotsst9m19hktu58
--profile admin
Delete the user that we created for this recipe, as follows:
aws cognito-idp admin-delete-user
--user-pool-id us-east-1_fYsb1Gyec
--username testuser2
--profile admin