Can amazon provide authorization grant flow for login with amazon by using boto3 api?

[phantom-j]

Hi I have used boto3 methods signup and initiate_auth to get id_token,access_token and refresh_token from my user pool.

Now i have added social login(amazon,google) to my userpool ,To get tokens without signup process for my users.

How to get authorization grant from login with amazon by using boto3 methods?

Can you please suggest me the flow ?

[Integralist]

Damn I've been battling a similar thing for the last two weeks and was hoping an answer could be located in this issue 🤦‍♂️

My current understanding is that social logins for user pools can only be done using Cognito's self hosted ui. Meaning you're constrained by what you can manipulate with CSS (we're just starting the process of testing the self-hosted ui now).

We've tried every possible way to do this without the self-hosted ui but it looks to be impossible 😞

Also, a concern with the self-hosted ui, if you want to avoid the ugly dynamic uri cognito will generate, is that you'll need a specific AWS certificate in order to configure a custom subdomain like auth.your-site.com (fml).

[phantom-j]

Hi @Integralist

I can understand that you need solution as much as i did. i am also trying from last month .

can you suggest which is the best way to get Authorization grant from LWA ?

I am not building web application,I don't have knowledge on js and css .I just want to receive refresh_token,access_token from LWA ,then i will use those tokens in federated identities to give access to my aws resources.

Could you please help me on this?

[Integralist]

The id/access/refresh tokens you're asking about are what AWS calls "user pool tokens" and are only provided when you authenticate with a Cognito User Pool.

If you're trying to get those user pool tokens from a social login (e.g. facebook or google etc), then you will not be able to acquire them using Python, you'll have to use either a fully client-side solution such as Amplify or you'll have to use the AWS self-hosted UI option.

That is what we're having to do for our server-side web application. We'd spent a lot of time figuring out how to do the normal username/password login using Python and boto3 (and handling migrating users from datastore to cognito).

But now when it comes to social logins we're having to drop that code to use the self-hosted ui because there was literally no other way to achieve it 🤦‍♂️

We decided against building a client-side js application that we (as a team) have no confidence in, because the team are all server-side engineers and don't do client-side work often. So having to support and maintain a client-side app, and to build new features upon it, just for the sake of getting authentication with Cognito to work was a non-starter.

[b1zantine]

@jay7583 @Integralist As you guys said, you won't be able to invoke Social Sign in through boto3 or other SDKs. Its because Cognito doesn't provide you with API calls to do that. Also, API calls wouldn't make sense because Cognito has to redirect users to third-party sign-in providers like Facebook, Google etc.

However, you still skip Hosted UI and redirect users to the respective Social sign-in providers. To do this you can use the AUTHORIZATION endpoint. When you pass the identity provider name in the identity_provider parameter, Cognito redirects the user to the respective third party sign in directly skipping the Hosted UI. If this parameter is not passed then the user is redirected to the Hosted UI.

https://<your-domain-prefix>.auth.<region>.amazoncognito.com/oauth2/authorize?response_type=token&client_id=<client-id>&redirect_uri=<redirect-uri>&identity_provider=Facebook

• For social sign-in the valid values are Facebook, Google, and LoginWithAmazon.
• For Amazon Cognito user pools, the value is COGNITO.
• For other identity providers this would be the name you assigned to the IdP in your user pool.

This allows you to build your own UI. When a user clicks the respective button, just redirect the user to this URL with the appropriate value for identity_provider

The amazon-cognito-auth-js library allows you easily handle this scenario.

[Integralist]

Thanks @SudarAbisheck for the feedback.

@jay7583 if it's of use to you I did a write up of my experiences so far with Cognito:

https://www.integralist.co.uk/posts/cognito/

[ChetanBhasin]

Does anyone know if there is also a way to provide user credentials (username and password) to the /login or /authorize endpoint to login? We have a self hosted UI, and for reasons I cannot go through we cannot use the AWS hosted UI. We need the end users to be able to login through our API (which works fine through AWS Amplify for JavaScript), but that's only through the user SRP flow not the Auth Code Grant.

[Saraujoc92]

I have a similar issue in which I need to generate an authorization code for an Authorization Code Grant flow. I have already signed in a user to modify some attributes, so using the hosted UI is not an option. Any method to create the authorization code either from API or from the amplify library would work.