Server-side authentication flow

The server-side authentication flow is used with admin APIs, as follows:

  1. Use admin APIs to create a user, as follows:
aws cognito-idp admin-create-user 
     --user-pool-id us-east-1_fYsb1Gyec 
     --username testuser 
     --temporary-password Passw0rd$ 
     --profile admin

Remember to replace the user-pool-id value with your user pool id. If it is successful, this command will provide the following output:

Note that the default user status is FORCE_CHANGE_PASSWORD. The user will be provided with a NEW_PASSWORD_REQUIRED challenge after the first login.

  1. Initiate the authentication flow as an admin, as follows:
aws cognito-idp admin-initiate-auth 
    --user-pool-id us-east-1_fYsb1Gyec 
    --client-id 4o1kgtd4sj39nr36ouak5mhblt 
    --auth-flow ADMIN_NO_SRP_AUTH 
    --auth-parameters USERNAME=testuser,PASSWORD=Passw0rd$ 
    --profile admin
Note that we have specified ADMIN_NO_SRP_AUTH. This call will fail if we do not configure this option within explicit auth flows during the client creation. Also, remember to replace the value for client-id with our client ID from the previous step.

The initiate auth command will return a NEW_PASSWORD_REQUIRED challenge and a session ID:

  1. We will then send a response to the auth challenge, as follows:
aws cognito-idp admin-respond-to-auth-challenge 
    --user-pool-id us-east-1_fYsb1Gyec 
    --client-id 5hh4v7nveu22vea74h8stt9238 
    --challenge-name NEW_PASSWORD_REQUIRED 
    --challenge-responses USERNAME=testuser,NEW_PASSWORD=NewPass0123$ 
    --session <session-id> 
    --profile admin

If it is successful, this command will return a response with three tokens (an access token, a refresh token, and an ID token):

We can try to run the initiate auth command with the new password; we will see that it does not ask for the password challenge. Instead, it returns the tokens.

  1. From now on, we can use the refresh token to regenerate the access token and the ID token:
aws cognito-idp admin-initiate-auth 
    --user-pool-id us-east-1_fYsb1Gyec 
    --client-id 5hh4v7nveu22vea74h8stt9238 
    --auth-flow REFRESH_TOKEN_AUTH 
    --auth-parameters REFRESH_TOKEN=<refresh-token> 
    --profile admin
  1. To clean up, delete the user pool client, as follows:
aws cognito-idp delete-user-pool-client 
    --user-pool-id us-east-1_fYsb1Gyec 
    --client-id 5hh4v7nveu22vea74h8stt9238 
    --profile admin

Delete the user that we created for this recipe, as follows:

aws cognito-idp admin-delete-user 
 --user-pool-id us-east-1_fYsb1Gyec 
 --username testuser 
 --profile admin
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
52.15.245.1