The server-side authentication flow is used with admin APIs, as follows:
- Use admin APIs to create a user, as follows:
aws cognito-idp admin-create-user
--user-pool-id us-east-1_fYsb1Gyec
--username testuser
--temporary-password Passw0rd$
--profile admin
Remember to replace the user-pool-id value with your user pool id. If it is successful, this command will provide the following output:
Note that the default user status is FORCE_CHANGE_PASSWORD. The user will be provided with a NEW_PASSWORD_REQUIRED challenge after the first login.
- Initiate the authentication flow as an admin, as follows:
aws cognito-idp admin-initiate-auth
--user-pool-id us-east-1_fYsb1Gyec
--client-id 4o1kgtd4sj39nr36ouak5mhblt
--auth-flow ADMIN_NO_SRP_AUTH
--auth-parameters USERNAME=testuser,PASSWORD=Passw0rd$
--profile admin
The initiate auth command will return a NEW_PASSWORD_REQUIRED challenge and a session ID:
- We will then send a response to the auth challenge, as follows:
aws cognito-idp admin-respond-to-auth-challenge
--user-pool-id us-east-1_fYsb1Gyec
--client-id 5hh4v7nveu22vea74h8stt9238
--challenge-name NEW_PASSWORD_REQUIRED
--challenge-responses USERNAME=testuser,NEW_PASSWORD=NewPass0123$
--session <session-id>
--profile admin
If it is successful, this command will return a response with three tokens (an access token, a refresh token, and an ID token):
We can try to run the initiate auth command with the new password; we will see that it does not ask for the password challenge. Instead, it returns the tokens.
- From now on, we can use the refresh token to regenerate the access token and the ID token:
aws cognito-idp admin-initiate-auth
--user-pool-id us-east-1_fYsb1Gyec
--client-id 5hh4v7nveu22vea74h8stt9238
--auth-flow REFRESH_TOKEN_AUTH
--auth-parameters REFRESH_TOKEN=<refresh-token>
--profile admin
- To clean up, delete the user pool client, as follows:
aws cognito-idp delete-user-pool-client
--user-pool-id us-east-1_fYsb1Gyec
--client-id 5hh4v7nveu22vea74h8stt9238
--profile admin
Delete the user that we created for this recipe, as follows:
aws cognito-idp admin-delete-user
--user-pool-id us-east-1_fYsb1Gyec
--username testuser
--profile admin