- Newest
- Most votes
- Most comments
Hi appsg,
The issue with implicit grant is essentially that your callback receive the access token as query string param. This represents a security risk and apart from pet projects, should be avoided for production workloads.
With Authentication grant instead, your call back will NOT receive the user pool generated access token, but an authorization code. Your application has to use that authorization code as part of a HTTP Post request to the Cognito TOKEN Endpoint (https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html).
The response of above POST call, will contain a response as this:
{ "access_token":"eyJra1example", "id_token":"eyJra2example", "refresh_token":"eyJj3example", "token_type":"Bearer", "expires_in":3600 }
From there, you can store those tokens in a DynamoDB encrypted database (https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html), which your app can pass as Bearer tokens in Authorization header when calling an HTTP REST API gateway.
Your application is responsible to reissue new tokens when expired (via refresh tokens), while the api gateway is responsible, via Cognito authorizers. This guide should help you through: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html
Hope it helps!
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Awesome. The Dynamo DB part was the missing piece of the puzzle. I was struggling how tokens should be stored once issued since requiring the users to log in each time they need a token is not an option. Thanks a lot