Amazon-cognito-identity-js: Linking login to Cognito Authenticated Identity

Created on 22 Apr 2016  路  12Comments  路  Source: amazon-archives/amazon-cognito-identity-js

Hi,
I've followed all the steps and I can login with username & password, but... what's next?

After the login I'm seeing that a new Unauthenticated Identity is added in my Cognito Identity Pool. How can I link that Identity to my user?

Something like the following...? Or maybe I'm totally missing the point of this service.

   AWS.config.credentials.get(function () {
       const token = session.getIdToken().getJwtToken();
       AWS.config.credentials.params.Logins = {};
       AWS.config.credentials.params.Logins['us-east-1_U5i6fZ4XX'] = token; // ???
       AWS.config.credentials.expired = true;

       AWS.config.credentials.get(function () {
            // now I'm using authenticated credentials
       });

With any combination of Logins[] I'm trying, I get HTTP 40X from the Cognito API:

  • if using .getIdToken() I get "Issuer doesn't match providerName
  • if using .getAccessToken() I get "Missing a required claim: aud"

Thank you!
Simone

Most helpful comment

It is hard to believe that AWS does not provide a working example of a Login page!!!

All 12 comments

Update:
I've found this line in http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentity.html#getId-property

The available provider names for Logins are as follows:
...
Amazon Cognito Identity Provider: cognito-idp.us-east-1.amazonaws.com/us-east-1_123456789

but no luck, I'm getting this error:
Token is not from a supported provider of this identity pool.
I've of course configured the User Pool ID in my Cognito Identity Pool.

Hi Simone,

Actually the two are different services, the Cognito Identity User Pools service and the Credentials Provider service. A blog post that introduces the functionality of the two services can be found here.

http://mobile.awsblog.com/post/TxGNH1AUKDRZDH/Announcing-Your-User-Pools-in-Amazon-Cognito

What I think you are doing is that you are authenticating with the User Pools service, in which case you get the different tokens to manage the session after which you are using the tokens with the second service which won't work. The tokens for the User Pools service are meant only to handle access to the User Pools service, to retrieve, update, delete attributes etc.

Hope it helps,

Ionut.

Thank you for your reply.
I've read the blog post and at the bottom I read:

With that association configured, getting AWS credentials in your app is as simple as providing your AWSCognitoIdentityUserPool to your AWSCognitoCredentialsProvider

That's exactly what I'm trying to do but I cannot find any example of doing this using the JS SDK.
If I can't use tokens by Cognito IDP with Cognito Identity, why the documentation states that I can use IDP in the Login map?

The available provider names for Logins are as follows:
...
Amazon Cognito Identity Provider: cognito-idp.us-east-1.amazonaws.com/us-east-1_123456789

Thank you!
Simone

Hi

same issue

Flow is getting successfully authenticating a username and password for a cognito user pool and getting three tokens, idtoken, refresh token, accesstoken now trying to autheticate to AWS credentials to use other aws services,
for cognito user pools we have taken the login id as
"cognito-idp.us-east-1.amazonaws.com/us-east-1_123456789"

getting the error

AWSNotAuthorizedException: Invalid login token. Missing a required claim: aud

code


cognitoUser.authenticateUser(authenticationDetails, {
onSuccess: function (result) {

        console.log('access token + ' + result.getAccessToken().getJwtToken());



        AWS.config.credentials = new AWS.CognitoIdentityCredentials({
            IdentityPoolId: 'xxxxxxxx',
            IdentityId: 'identityid recieved during registration in user poolid',
            Logins: {
                'cognito-idp.us-east-1.amazonaws.com/us-east-1_123456789': result.getAccessToken().getJwtToken()
            }
        });
        AWS.config.credentials.get(function (err) {
            // now I'm using authenticated credentials
            if(err)
            {
                console.log('error in autheticatig AWS'+err);
            }
            else
            {
                console.log(AWS.config.credentials.identityId);

            }
        });
    },

I got the problem the format for cognito userpools linked login is as follows

xxxxxx in the below should be replaced with your cognito userpool id that is, cognito-idp.us-east-1.amazonaws.com/userpoolid

AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: ''",

            Logins: {
                'cognito-idp.us-east-1.amazonaws.com/xxxxxx': result.idToken.jwtToken
            }
        });

Please update the documentaion it is really misleading http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentity.html#getId-property

Hi Alphatiger,

Thanks for all the help!

Does this solve it for you as well Simone? The 2 problems I see is that you guys were literally using the example String of cognito-idp.us-east-1.amazonaws.com/us-east-1_123456789 which Alphatiger pointed out that you should replace the end with your user pool ID.

Another problem is that you were using the AccessToken instead of the idToken which Alphatiger also pointed out.

Ionut.

Okay, I've identified my problem:
I were using an "App Client ID" different from the one that I'm using in my JavaScript app (for no specific reason I created two different apps). Updating the App Client ID clears the error: "Token is not from a supported provider of this identity pool".

As a temporary workaround in the past days, to make the login work, I added an Identity Provider in IAM (see attachment) and attached it to my Cognito Identity using the OpenID tab. This way, you can also support multiple App Client IDs (by adding an "audience"), useful e.g. for key rotation etc...
image

Thanks,
Simone

@Alphatiger @itrestian @lusentis I am getting this error when following your example (with my own credentials)

error in autheticatig AWSNotAuthorizedException: Invalid login token. Missing a required claim: aud

What could cause that?

OK, ignore my previous message.

Just for the record - this causes the error

Logins: {
            'cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxx': result.getAccessToken().getJwtToken()
        }

And this fixes it

Logins: {
            'cognito-idp.us-east-1.amazonaws.com/xxxxxxxx': result.idToken.jwtToken
        }

It is hard to believe that AWS does not provide a working example of a Login page!!!

Has anyone been able to get Integrating User Pools with Amazon Cognito Identity to work? I'm struggling with the logins map. Is there an example that connects a user pool with a Cognito identity in Swift?

I had this same problem, tried all the solutions, and nothing. Turns out it was a simple JS mistake. Explanation here: https://stackoverflow.com/questions/2274242/using-a-variable-for-a-key-in-a-javascript-object-literal

let url = 'cognito.idp...';
Logins: { url: token }  // fails
Logins: { [url]: token }  // successful

Hope this finds you quickly ;)

Was this page helpful?
0 / 5 - 0 ratings