How to use OAuth 2.0 in Amazon Cognito: Learn about the different OAuth 2.0 grants

Implementing authentication and authorization mechanisms in fashionable purposes may be difficult, particularly when coping with numerous consumer sorts and use circumstances. As builders, we frequently wrestle to decide on the proper authentication stream to steadiness safety, person expertise, and utility necessities. That is the place understanding the OAuth 2.0 grant sorts comes into play. Whether or not you’re constructing a conventional net utility, a cell app, or a machine-to-machine communication system, understanding the OAuth 2.0 grant sorts might help you implement sturdy and safe authentication and authorization mechanism.

On this weblog put up, we present you the totally different OAuth 2.0 grants and how you can implement them in Amazon Cognito. We evaluate the aim of every grant, their relevance in fashionable utility growth, and which grant is greatest suited to totally different utility necessities.

OAuth 2.0 is an authorization framework that permits safe and seamless entry to sources on behalf of customers with out the necessity to share delicate credentials. The first goal of OAuth 2.0 is to determine a safe, delegated, and scoped entry mechanism that permits third-party purposes to work together with person knowledge whereas sustaining sturdy privateness and safety measures.

OpenID Join, sometimes called OIDC, is a protocol based mostly on OAuth 2.0. It extends OAuth 2.0 to offer person authentication, identification verification, and person info retrieval. OIDC is an important part for constructing safe and user-friendly authentication experiences in purposes. Amazon Cognito helps OIDC, which means it helps person authentication and identification verification in response to OIDC requirements.

Amazon Cognito is an identification atmosphere for net and cell purposes. Its two essential parts are person swimming pools and identification swimming pools. A Cognito person pool is a person listing, an authentication server, and an authorization service for OAuth 2.0 tokens. With it, you possibly can authenticate and authorize customers natively or from a federated identification reminiscent of your enterprise listing, or from shopper identification suppliers reminiscent of Google or Fb. Cognito Identification Pool can change OAuth 2.0 tokens (amongst different choices) for AWS credentials.

Implementing OAuth 2.0 grants utilizing Amazon Cognito

The OAuth 2.0 commonplace defines 4 essential roles; these are vital to know as we focus on the grants:

A useful resource proprietor owns the info within the useful resource server and might grant entry to the useful resource (reminiscent of a database admin).
A useful resource server hosts the protected sources that the appliance needs to entry (reminiscent of a SQL server).
A consumer is an utility making requests for the protected sources on behalf of the useful resource proprietor and with its authorization (reminiscent of an analytics utility).
An authorization server is a server that points scoped tokens after the person is authenticated and has consented to the issuance of the token underneath the specified scope (reminiscent of Amazon Cognito).

A number of different helpful ideas earlier than we dive into the OAuth 2.0 grants:

Entry tokens are on the core of OAuth 2.0’s operation. These tokens are short-lived credentials that the consumer utility makes use of to show its approved standing when requesting sources from the useful resource server. Moreover, OAuth 2.0 would possibly contain the usage of refresh tokens, which give a mechanism for purchasers to acquire new entry tokens with out requiring the useful resource proprietor’s intervention.
An ID token is a JSON Net Token (JWT) launched by OpenID Join that comprises details about the authentication occasion of the person. They permit purposes to confirm the identification of the person, make knowledgeable selections concerning the person’s authentication standing, and personalize the person’s expertise.
A scope is a degree of entry that an utility can request to a useful resource. Scopes outline the particular permissions {that a} consumer utility can request when acquiring an entry token. You should utilize scopes to fine-tune the extent of entry granted to the consumer. For instance, an OAuth 2.0 request would possibly embrace the scope learn:profile, indicating that the consumer utility is requesting read-only entry to the person’s profile info. One other request would possibly embrace the scope write:pictures, indicating the consumer’s want to put in writing to the person’s picture assortment. In Amazon Cognito, you possibly can outline customized scopes together with commonplace OAuth 2.0 scopes reminiscent of openid, profile, e mail, or telephone to align together with your utility’s necessities. You should utilize this flexibility to handle entry permissions effectively and securely.

A typical high-level OAuth 2.0 stream seems to be just like the Determine 1:

Determine 1: OAuth 2.0 stream

Under are the steps concerned within the OAuth 2.0 stream

The consumer requests authorization from the useful resource proprietor. That is accomplished by means of the authorization server (Amazon Cognito) as an middleman.
The useful resource proprietor gives the authorization grant to the consumer. This may be one of many many grant sorts, that are mentioned intimately within the subsequent paragraph. The kind of grant used relies on the tactic utilized by the consumer to request authorization from the useful resource proprietor.
The consumer requests an entry token by authenticating with Cognito.
Cognito authenticates the consumer (the authentication methodology based mostly on the grant sort) and points an entry token if the authorization is legitimate.
The entry token is introduced to the useful resource server because the consumer requests the protected useful resource.
The useful resource server checks the entry token’s signature and attributes and serves the request whether it is legitimate.

There are a number of totally different grant sorts, 4 of that are described within the following sections.

Authorization code grant

The authorization code grant sort is utilized by purchasers to securely change an authorization code for an entry token. It’s utilized by each net purposes and native purposes to get an entry token after a person authenticates to an utility. After the person returns to the consumer by means of the redirect URI (the URL the place the authentication server redirects the browser after it authorizes the person), the appliance will get the authorization code from the URL and makes use of it to request an entry token.

This grant sort is appropriate for normal circumstances as just one authentication stream is used, no matter what operation is carried out or who’s performing it. This grant is taken into account safe because it requests an entry token with a single-use code as an alternative of exposing the precise entry tokens. This helps stop the appliance from doubtlessly accessing person credentials.

Determine 2: Authorization code grant stream

Under are the steps concerned within the authorization code grant stream

The method begins with the consumer initiating the sequence, directing the user-agent (that’s, the browser) of the useful resource proprietor to the authorization endpoint. On this motion, the consumer gives its consumer identifier, the scope it’s requesting, a neighborhood state, and a redirection URI to which the authorization server (Amazon Cognito) will return the person agent after both granting or denying entry.
Cognito authenticates the useful resource proprietor (by means of the person agent) and establishes whether or not the useful resource proprietor grants or denies the consumer’s entry request utilizing person pool authentication.
Cognito redirects the person agent again to the consumer utilizing the redirection URI that was supplied in step (1) with an authorization code within the question string (reminiscent of http://www.instance.com/webpage?code=<authcode>).
The consumer requests an entry token from the Cognito’s token endpoint by together with the authorization code acquired in step (3). When making the request, the consumer authenticates with the Cognito usually with a consumer ID and a secret. The consumer consists of the redirection URI used to acquire the authorization code for verification.
Cognito authenticates the consumer, validates the authorization code, and makes positive that the redirection URI acquired matches the URI used to redirect the consumer in step (3). If legitimate, Cognito responds with an entry token.

An implementation of the authorization code grant utilizing Amazon Cognito seems to be like the next:

An utility makes an HTTP GET request to AUTH_DOMAIN/oauth2/authorize, the place AUTH_DOMAIN represents the person pool’s configured area. This request consists of the next question parameters:

response_type – Set to code for this grant sort.
client_id – The ID for the specified person pool app consumer.
redirect_uri – The URL {that a} person is directed to after profitable authentication.
state (optionally available however advisable) – A random worth that’s used to forestall cross-site request forgery (CSRF) assaults.
scope (optionally available) – An area-separated checklist of scopes to request for the generated tokens. Word that:

An ID token is just generated if the openid scope is requested.
The telephone, e mail, and profile scopes can solely be requested if openid can also be requested.
A vended entry token can solely be used to make person pool API calls if aws.cognito.signin.person.admin (person pool’s reserved API scope) is requested.

identity_provider (optionally available) – Signifies the supplier that the tip person ought to authenticate with.
idp_identifier (optionally available) – Similar as identity_provider however doesn’t expose the supplier’s actual identify.
nonce (optionally available) – A random worth you can add to the request. The nonce worth that you just present is included within the ID token that Amazon Cognito points. To protect in opposition to replay assaults, your app can examine the nonce declare within the ID token and evaluate it to the one you generated. For extra details about the nonce declare, see ID token validation within the OpenID Join commonplace.

A CSRF token is returned in a cookie. If an identification supplier was specified within the request from step 1, the remainder of this step is skipped. The person is mechanically redirected to the suitable identification supplier’s authentication web page. In any other case, the person is redirected to https://AUTH_DOMAIN/login (which hosts the auto-generated UI) with the identical question parameters set from step 1. They will then both authenticate with the person pool or choose one of many third-party suppliers that’s configured for the designated app consumer.
The person authenticates with their identification supplier by means of one of many following means:

If the person makes use of the native person pool to authenticate, the hosted UI submits the person’s credentials by means of a POST request to https://AUTH_DOMAIN/login (together with the unique question parameters) together with some further metadata.
If the person selects a distinct identification supplier to authenticate with, the person is redirected to that identification supplier’s authentication web page. After profitable authentication the supplier redirects the person to https://AUTH_DOMAIN/saml2/idpresponse with both an authorization token within the code question parameter or a SAML assertion in a POST request.

After Amazon Cognito verifies the person pool credentials or supplier tokens it receives, the person is redirected to the URL that was specified within the unique redirect_uri question parameter. The redirect additionally units a code question parameter that specifies the authorization code that was vended to the person by Cognito.
The customized utility that’s hosted on the redirect URL can then extract the authorization code from the question parameters and change it for person pool tokens. The change happens by submitting a POST request to https://AUTH_DOMAIN/oauth2/token with the next utility/x-www-form-urlencoded parameters:

grant_type – Set to authorization_code for this grant.
code – The authorization code that’s vended to the person.
client_id – Similar as from the request in step 1.
redirect_uri – Similar as from the request in step 1.

If the consumer utility was configured with a secret, the Authorization header for this request is ready as Fundamental BASE64(CLIENT_ID:CLIENT_SECRET), the place BASE64(CLIENT_ID:CLIENT_SECRET) is the base64 illustration of the appliance consumer ID and utility consumer secret, concatenated with a colon.

The JSON returned within the ensuing response has the next keys:

access_token – A sound person pool entry token.
refresh_token – A sound person pool refresh token. This can be utilized to retrieve new tokens by sending it by means of a POST request to https://AUTH_DOMAIN/oauth2/token, specifying the refresh_token and client_id parameters, and setting the grant_type parameter to refresh_token.
id_token – A sound person pool ID token. Word that an ID token is just supplied if the openid scope was requested.
expires_in – The size of time (in seconds) that the supplied ID or entry tokens are legitimate.
token_type – Set to Bearer.

Listed below are a number of the greatest practices to be adopted when utilizing the authorization code grant:

Use the Proof Key for Code Change (PKCE) extension with the authorization code grant, particularly for public purchasers reminiscent of a single web page net utility. That is mentioned in additional element within the following part.
Commonly rotate consumer secrets and techniques and credentials to reduce the danger of unauthorized entry.
Implement session administration to deal with person periods securely. This includes managing entry token lifetimes, storing tokens, rotating refresh tokens, implementing token revocations and offering straightforward logout mechanisms that invalidate entry and refresh tokens on person’s units.

Authorization code grant with PKCE

To boost safety when utilizing the authorization code grant, particularly in public purchasers reminiscent of native purposes, the PKCE extension was launched. PKCE provides an additional layer of safety by ensuring that solely the consumer that initiated the authorization course of can change the acquired authorization code for an entry token. This mix is typically known as a PKCE grant.

It introduces a secret known as the code verifier, which is a random worth created by the consumer for every authorization request. This worth is then hashed utilizing a metamorphosis methodology reminiscent of SHA256—that is now known as the code problem. The identical steps are adopted because the stream from Determine 2, nevertheless the code problem is now added to the question string for the request to the authorization server (Amazon Cognito). The authorization server shops this code problem for verification after the authentication course of and redirects again with an authorization code. This authorization code together with the code verifier is distributed to the authorization server, which then compares the beforehand saved code problem with the code verifier. Entry tokens are issued after the verification is efficiently accomplished. Determine 3 outlines this course of.

Determine 3: Authorization code grant stream with PKCE

Authorization code grant with PKCE implementation is equivalent to authorization code grant besides that Step 1 requires two further question parameters:

code_challenge – The hashed, base64 URL-encoded illustration of a random code that’s generated consumer aspect (code verifier). It serves as a PKCE, which mitigates unhealthy actors from with the ability to use intercepted authorization codes.
code_challenge_method – The hash algorithm that’s used to generate the code_challenge. Amazon Cognito at present solely helps setting this parameter to S256. This means that the code_challenge parameter was generated utilizing SHA-256.

In step 5, when exchanging the authorization code with the person pool token, embrace a further parameter:

code_verifier – The base64 URL-encoded illustration of the unhashed, random string that was used to generate the PKCE code_challenge within the unique request.

Implicit grant (not advisable)

Implicit grant was an OAuth 2.0 authentication grant sort that allowed purchasers reminiscent of single-page purposes and cell apps to acquire person entry tokens immediately from the authorization endpoint. The grant sort was implicit as a result of no intermediate credentials (reminiscent of an authorization code) have been issued and later used to acquire an entry token. The implicit grant has been deprecated and it’s advisable that you just use authorization code grant with PKCE as an alternative. An impact of utilizing the implicit grant was that it uncovered entry tokens immediately within the URL fragment, which might doubtlessly be saved within the browser historical past, intercepted, or uncovered to different purposes residing on the identical gadget.

Determine 4: Implicit grant stream

The implicit grant stream was designed to allow public client-side purposes—reminiscent of single-page purposes or cell apps and not using a backend server part—to change authorization codes for tokens.

Steps 1, 2, and three of the implicit grant are equivalent to the authorization code grant steps, besides that the response_type question parameter is ready to token. Moreover, whereas a PKCE problem can technically be handed, it isn’t used as a result of the /oauth2/token endpoint is rarely accessed. The next steps—beginning with step 4—are as follows:

After Amazon Cognito verifies the person pool credentials or supplier tokens it receives, the person is redirected to the URL that was specified within the unique redirect_uri question parameter. The redirect additionally units the next question parameters:

access_token – A sound person pool entry token.
expires_in – The size of time (in seconds) that the supplied ID or entry tokens are legitimate for.
token_type – Set to Bearer.
id_token – A sound person pool ID token. Word that an ID token is just supplied if the openid scope was requested.

Word that no refresh token is returned throughout an implicit grant, as specified within the RFC commonplace.

The customized utility that’s hosted on the redirect URL can then extract the entry token and ID token (in the event that they’re current) from the question parameters.

Listed below are some greatest practices for implicit grant:

Make entry token lifetimes quick. Implicit grant tokens can’t be revoked, so expiry is the one technique to finish their validity.
Implicit grant sort is deprecated and needs to be used just for situations the place a backend server part can’t be carried out, reminiscent of browser-based purposes.

Shopper credentials grant

The consumer credentials grant is for machine-to-machine authentication. For instance, a third-party utility should confirm its identification earlier than it could entry your system. The consumer can request an entry token utilizing solely its consumer credentials (or different supported technique of authentication) when the consumer is requesting entry to the protected sources underneath its management or these of one other useful resource proprietor which were beforehand organized with the authorization server.

The consumer credentials grant sort have to be used solely by confidential purchasers. This implies the consumer will need to have the power to guard a secret string from customers. Word that to make use of the consumer credentials grant, the corresponding person pool app consumer will need to have an related app consumer secret.

Determine 5: Shopper credentials grant

The stream illustrated in Determine 5 consists of the next steps:

The consumer authenticates with the authorization server utilizing a consumer ID and secret and requests an entry token from the token endpoint.
The authorization server authenticates the consumer, and if legitimate, points an entry token.

The detailed steps for the method are as follows:

The applying makes a POST request to https://AUTH_DOMAIN/oauth2/token, and specifies the next parameters:

grant_type – Set to client_credentials for this grant sort.
client_id – The ID for the specified person pool app consumer.
scope – An area-separated checklist of scopes to request for the generated entry token. Word you can solely use a customized scope with the consumer credentials grant.

As a way to point out that the appliance is permitted to make the request, the Authorization header for this request is ready as Fundamental BASE64(CLIENT_ID:CLIENT_SECRET), the place BASE64(CLIENT_ID:CLIENT_SECRET) is the base64 illustration of the consumer ID and consumer secret, concatenated with a colon.

The Amazon Cognito authorization server returns a JSON object with the next keys:

access_token – A sound person pool entry token.
expires_in – The size of time (in seconds) that the supplied entry token is legitimate.
token_type – Set to Bearer.

Word that, for this grant sort, an ID token and a refresh token aren’t returned.

The applying makes use of the entry token to make requests to an related useful resource server.
The useful resource server validates the acquired token and, if every thing checks out, processes the request from the app.

Following are a couple of advisable practices whereas utilizing the consumer credentials grant:

Retailer consumer credentials securely and keep away from hardcoding them in your utility. Use applicable credential administration practices, reminiscent of atmosphere variables or secret administration companies.
Restrict use circumstances. The consumer credentials grant is appropriate for machine-to-machine authentication in extremely trusted situations. Restrict its use to circumstances the place different grant sorts will not be relevant.

Extension grant

Extension grants are a manner so as to add assist for non-standard token issuance situations reminiscent of token translation, delegation, or customized credentials. It helps you to change entry tokens from a third-party OAuth 2.0 authorization service with entry tokens from Amazon Cognito. By defining the grant sort utilizing an absolute URI (decided by the authorization server) as the worth of the grant_type argument of the token endpoint, and by including different parameters required, the consumer can use an extension grant sort.

An instance of an extension grant is OAuth 2.0 gadget authorization grant (RFC 8628). This authorization grant makes it attainable for internet-connected units with restricted enter capabilities or that lack a user-friendly browser (reminiscent of wearables, good assistants, video-streaming units, smart-home automation, and well being or medical units) to evaluate the authorization request on a secondary gadget, reminiscent of a smartphone, that has extra superior enter and browser capabilities.

A few of the greatest practices to be adopted when deciding to make use of extension grants are:

Extension grants are for non-standard token issuance situations. Use them solely when needed, and totally doc their use and function.
Conduct safety audits and code critiques when implementing Extension grants to determine potential vulnerabilities and mitigate dangers.

Whereas Amazon Cognito doesn’t natively assist extension grants at present, right here is an instance implementation of OAuth 2.0 gadget grant stream utilizing AWS Lambda and Amazon DynamoDB.

Conclusion

On this weblog put up, we’ve reviewed numerous OAuth 2.0 grants, every catering to particular utility wants, The authorization code grant ensures safe entry for net purposes (and gives further safety with the PKCE extension), and the consumer credentials grant is good for machine-to-machine authentication. Amazon Cognito acts as an encompassing identification platform, streamlining person authentication, authorization, and integration. Through the use of these grants and the options supplied by Cognito, builders can improve safety and the person expertise of their purposes. For extra info and examples, see OAuth 2.0 grants within the Cognito Developer Information.

Now that you just perceive implementing OAuth 2.0 grants in Amazon Cognito, see Learn how to customise entry tokens in Amazon Cognito person swimming pools to study customizing entry tokens to make fine-grained authorization selections and supply a differentiated end-user expertise.

If in case you have suggestions about this put up, submit feedback within the Feedback part under. If in case you have questions on this put up, contact AWS Assist.

Prashob Krishnan

Prashob is a Denver-based Technical Account Supervisor at AWS. Prashob is enthusiastic about safety. He enjoys working with clients to unravel their technical challenges and assist construct a safe scalable structure on the AWS Cloud.

Ishva Kanani

Ishva is an Affiliate Safety Guide based mostly in Fairfax, Virginia. She has a robust curiosity in safety and enjoys helping clients with securing cloud migrations and accelerating their journeys to the cloud and inside the cloud ecosystem by delivering modern options.

Keerthana Ganesh

Keerthana is a Safety and Compliance Options Architect at AWS based mostly within the UK. She works with clients in EMEA and performs an advisory function on how you can construct safe architectures.