IdToken

[Brother-Andy]

Hi,

It is more a clarification than the issue. Is there a way to get Id token during the runtime? Access token can be fetched from cookie but Id token is required to make calls to the AWS API Gateway with Cognito Authorizer and it also can be used to fetch AWS temporary credentials from the Cognito Identity Pool.

Regards, Andrii

[lokeoke]

Hi @Brother-Andy,

I see it is set to the session https://github.com/mblackgeo/flask-cognito-lib/blob/main/src/flask_cognito_lib/decorators.py#L108 So you can access it using session.get("user_info") anywhere you need.

[Brother-Andy]

Hi @Brother-Andy,

I see it is set to the session https://github.com/mblackgeo/flask-cognito-lib/blob/main/src/flask_cognito_lib/decorators.py#L108 So you can access it using session.get("user_info") anywhere you need.

Thank you. I checked that variable following the main example. But frankly I don't know how to convert decoded values into a single JWT Id token string that can then be supplied to API Gateway or Identity Pool. Because none of these values cab be used as an actual token.

[lokeoke]

Thank you. I checked that variable following the main example. But frankly I don't know how to convert decoded values into a single JWT Id token string that can then be supplied to API Gateway or Identity Pool. Because none of these values cab be used as an actual token.

Wouldn't API Gateway with Cognito Authorizer just accept access_token? I think it should.

[mblackgeo]

I'm not sure why you'd need to recreate the JWT; in fact the ID token is asymmetrically signed so it's not technically possible to sign it without access to Cognito's private keys. The call that the plugin makes to the token endpoint returns the id token (as a JWT) which is validated, then decoded and stored in user_info within the session.

There's also the separate userInfo endpoint which you can call with the access token, assuming openid is one of the token scopes (which I think it is by default), if there's something else you need that's not in the id token.

[Brother-Andy]

@lokeoke yes, API Gateway starts to access_token only after I create Cognito resource server with the custom scope and add that scope URL into the API Gateway method setting for the allowed scopes (more on that Integrate a REST API with an Amazon Cognito user pool . Where with the id_token I can pass it right away in the header to the API Gateway method with Cognito authorizer.

@mblackgeo i tried to understand different options how I can work with your lib but continue to use id_token instead of access_token. Right now I'm able to make calls to the AWS API Gateway (thanks for the resource server). But I still need to find a way how to get id_token (this long scary string), since my FrontEnd app must have access to the Identity Pool to exchange JWT to AWS temporary credentials and Cognito Identity pool accepts only id_token.

[mblackgeo]

Yes, the library doesn't support getting the id JWT directly at the moment - you could either look at performing the OAuth flow again yourself, or I'd be happy to review a PR if you want to store the raw id token alongside the access token in addition? Could also form part of @lokeoke's request raised in #38 to handle refresh tokens

In the Integrate a REST API with an Amazon Cognito user pool guide you linked, it does say:

pass the identity or access token that's returned by Amazon Cognito when a user signs in successfully

have you tried using the access token?

[mblackgeo]

Since release v1.9.0 (after #45) the ID token is now also stored in a cookie - this should help accessing AWS resources if needed