As we discussed previously, the client-side authentication flow uses non-admin APIs.

Follow the steps to demonstrate the client-side authentication flow. Remember to replace the user-pool-id value with your user pool id.

1. For creating the user, we will still use the admin APIs, as follows:

aws cognito-idp admin-create-user 
     --user-pool-id us-east-1_fYsb1Gyec 
     --username testuser2 
     --temporary-password Passw0rd$ 
     --profile admin

The default user status will be FORCE_CHANGE_PASSWORD, as we saw in the previous recipe.

2. Initiate the authentication flow, as follows:

aws cognito-idp initiate-auth 
    --client-id 3jiv1fi1rspotsst9m19hktu58 
    --auth-flow USER_PASSWORD_AUTH 
    --auth-parameters USERNAME=testuser2,PASSWORD=Passw0rd$

3. Send a response to the auth challenge, as follows:

aws cognito-idp respond-to-auth-challenge 
    --client-id 3jiv1fi1rspotsst9m19hktu58 
    --challenge-name NEW_PASSWORD_REQUIRED 
    --challenge-responses USERNAME=testuser2,NEW_PASSWORD=NewPass0123$ 
    --session <session-id>

If it is successful, this command will return a response with three tokens: an access token, a refresh token, and an ID token. We can try to run the initiate auth command with the new password, and check that it does not ask for the password challenge.

4. From now on, we can also use the refresh token to regenerate the access token and the ID token:

aws cognito-idp initiate-auth 
    --client-id 3jiv1fi1rspotsst9m19hktu58 
    --auth-flow REFRESH_TOKEN_AUTH 
    --auth-parameters REFRESH_TOKEN=<refresh token>

5. To clean up, delete the user pool client, as follows:

aws cognito-idp delete-user-pool-client 
    --user-pool-id us-east-1_fYsb1Gyec 
    --client-id 3jiv1fi1rspotsst9m19hktu58 
    --profile admin

Delete the user that we created for this recipe, as follows:

aws cognito-idp admin-delete-user 
     --user-pool-id us-east-1_fYsb1Gyec 
     --username testuser2 
     --profile admin