In this article, we are looking for a way to create an app client in AWS Cognito user pool, that can use client credentials(client id and client secret) to communicate with a server to fetch a valid JWT token and also customize the token by adding custom scopes.
This can be used in cases when there is a requirement for a system to system communication with custom scopes/ custom identifiers for app clients.
- Create an AWS Cognito user pool with any name
2. Follow the steps for user pool creation as mentioned in the images below. Most of the settings are default, except that we are opting out anything not needed for us. (Here we do not care about user log in experiences as we are establishing system to system communication
3. Create app client for the external system that will be trying to communicate with your system. If there are multiple external systems you will need to create multiple app clients.
Make sure you choose the 'confidential client' option so that only clients that have a valid client credentials can access the token.
Choose the generate client secrete option.
4. Review the changes and create the user pool.
5. Once it is created go into the user pool and go to app integrations section.
5.1 Create a cognito domain there so as to host the endpoints for token retrieval. We need a url to fetch the JWT access token, given valid credentials. Here you can choose to create a cognito domain or you can add your own custom auth server domain if you have one.
5.2 Create a resource server where you can create custom scopes. The scopes defined here can be attached with different app clients so that the token requested by them, if decoded gives you the scopes attached to them.
5.3 Attach the required scopes to the corresponding app clients. Select teh app client you want to attach scope to and edit this app client.
5.4 Once this is done, use the domain url created before and if it is a cognito one, the endpoint exposed is "<domain_url>/.auth.<amazon-region>.amazoncognito.com/oauth2/token" to fetch the token.
Use the client credentials (you can get it from the app client information section, copy the client_id and client_secret) to fetch the JWT token from this endpoint as shown below.
Ideally the client system will be using this endpoint to fetch the JWT token for them and they can use this token in any api requests made to your system so that your system can validate the token and authenticate the requests.
5.5 If you try to decode the token received in the response of this call you can see that scopes are added to it.
Tadaaa!! ✌️ Now you have a user pool with app clients that have scopes attached to it. You can use this for authorization if needed by adding client specific identifiers!