From 603634b9bf28243c0041c42c0cea45debe532a22 Mon Sep 17 00:00:00 2001 From: Eduardo Date: Tue, 29 Oct 2024 10:12:19 +0100 Subject: [PATCH 01/14] Adding client credentials flow to Cognito documentation --- content/en/user-guide/aws/cognito/index.md | 60 ++++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/content/en/user-guide/aws/cognito/index.md b/content/en/user-guide/aws/cognito/index.md index d1cc22536d..c79c10082b 100644 --- a/content/en/user-guide/aws/cognito/index.md +++ b/content/en/user-guide/aws/cognito/index.md @@ -330,6 +330,66 @@ Ensuring this match is crucial for the proper functioning of the authentication 'http://localhost:4566/_aws/cognito-idp/oauth2/token' {"access_token": "eyJ0eXAi…lKaHx44Q", "expires_in": 86400, "token_type": "Bearer", "refresh_token": "e3f08304", "id_token": "eyJ0eXAi…ADTXv5mA"} ``` +### Client credentials grant + +The client credentials grant is designed for machine-to-machine (M2M) communication. +In contrast, the authorization code and implicit grants provide tokens to authenticated human users. +The client credentials grant allows for scope-based authorization from a non-interactive system to an API. +Your app can directly request client credentials from the token endpoint to receive an access token. + +To request the token from LocalStack the correct URL is `http://cognito-idp.localhost.localstack-test.cloud:4566/_aws/cognito-idp/oauth2/token`. +In case that there is more than one user pool, LocalStack detects the right one by inspecting the `clientId` of the requests. + +Here is an example on how to set it up: +```sh +#Create user pool. +export pool_id=$(awslocal cognito-idp create-user-pool --pool-name test --username-configuration "CaseSensitive=False" | jq -rc ".UserPool.Id") + +#Create client user pool with a client. +export client_id=$(awslocal cognito-idp create-user-pool-client --user-pool-id $pool_id --client-name test-client --generate-secret | jq -rc ".UserPoolClient.ClientId") + +#Retrieve secret. +export client_secret=$(awslocal cognito-idp describe-user-pool-client --user-pool-id $pool_id --client-id $client_id | jq -r '.UserPoolClient.ClientSecret') + +#Create resource server +awslocal cognito-idp create-resource-server \ + --user-pool-id $pool_id \ + --identifier "api-client-organizations" \ + --name "vitalera API Clients Organizations Resource Server" \ + --scopes '[{"ScopeName":"read","ScopeDescription":"Read access to Organizations"}]' +``` + +Then you could retrieve the token from your application like this: + +```python +import requests, os +from requests.auth import HTTPBasicAuth + +def get_access_token_with_secret(): + client_id = os.environ['client_id'] + client_secret = os.environ['client_secret'] + scope = 'api-client-organizations/read' + url = 'http://cognito-idp.localhost.localstack.cloud:4566/_aws/cognito-idp/oauth2/token' + + + headers = { + 'Content-Type' : 'application/x-www-form-urlencoded' + } + + auth = HTTPBasicAuth(client_id,client_secret) + + payload = { + 'grant_type': 'client_credentials', + 'client_id':client_id, + 'scope':scope + } + response = requests.post(url,headers=headers,auth=auth,data=payload) + + print(response.content) + +if __name__ == "__main__": + get_access_token_with_secret() +``` ## Serverless and Cognito From e5f1693ecfab0c0dd2c1b6f5f568ec90244f5b23 Mon Sep 17 00:00:00 2001 From: Eduardo Date: Tue, 29 Oct 2024 10:17:41 +0100 Subject: [PATCH 02/14] Fix linting issue --- content/en/user-guide/aws/cognito/index.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/en/user-guide/aws/cognito/index.md b/content/en/user-guide/aws/cognito/index.md index c79c10082b..7b3b772f6c 100644 --- a/content/en/user-guide/aws/cognito/index.md +++ b/content/en/user-guide/aws/cognito/index.md @@ -341,6 +341,7 @@ To request the token from LocalStack the correct URL is `http://cognito-idp.loca In case that there is more than one user pool, LocalStack detects the right one by inspecting the `clientId` of the requests. Here is an example on how to set it up: + ```sh #Create user pool. export pool_id=$(awslocal cognito-idp create-user-pool --pool-name test --username-configuration "CaseSensitive=False" | jq -rc ".UserPool.Id") From d4deffa79ad4e2a1a40f633e19bfb4af876b3a56 Mon Sep 17 00:00:00 2001 From: Eduardo Date: Tue, 29 Oct 2024 10:19:25 +0100 Subject: [PATCH 03/14] Fix linting issue --- content/en/user-guide/aws/cognito/index.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/content/en/user-guide/aws/cognito/index.md b/content/en/user-guide/aws/cognito/index.md index 7b3b772f6c..44406cd473 100644 --- a/content/en/user-guide/aws/cognito/index.md +++ b/content/en/user-guide/aws/cognito/index.md @@ -330,6 +330,7 @@ Ensuring this match is crucial for the proper functioning of the authentication 'http://localhost:4566/_aws/cognito-idp/oauth2/token' {"access_token": "eyJ0eXAi…lKaHx44Q", "expires_in": 86400, "token_type": "Bearer", "refresh_token": "e3f08304", "id_token": "eyJ0eXAi…ADTXv5mA"} ``` + ### Client credentials grant The client credentials grant is designed for machine-to-machine (M2M) communication. @@ -357,7 +358,8 @@ awslocal cognito-idp create-resource-server \ --user-pool-id $pool_id \ --identifier "api-client-organizations" \ --name "vitalera API Clients Organizations Resource Server" \ - --scopes '[{"ScopeName":"read","ScopeDescription":"Read access to Organizations"}]' + --scopes '[{"ScopeName":"read","ScopeDescription":"Read access to Organizations"}]' + ``` Then you could retrieve the token from your application like this: From 4bf6f74c725fcd839d3eed323f0a4a7843dcba3f Mon Sep 17 00:00:00 2001 From: eduardo <83775838+drauedo@users.noreply.github.com> Date: Wed, 30 Oct 2024 17:30:39 +0100 Subject: [PATCH 04/14] Update content/en/user-guide/aws/cognito/index.md Co-authored-by: usl-cto <73192050+usl-cto@users.noreply.github.com> --- content/en/user-guide/aws/cognito/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/user-guide/aws/cognito/index.md b/content/en/user-guide/aws/cognito/index.md index 44406cd473..db2b2d7e0e 100644 --- a/content/en/user-guide/aws/cognito/index.md +++ b/content/en/user-guide/aws/cognito/index.md @@ -338,7 +338,7 @@ In contrast, the authorization code and implicit grants provide tokens to authen The client credentials grant allows for scope-based authorization from a non-interactive system to an API. Your app can directly request client credentials from the token endpoint to receive an access token. -To request the token from LocalStack the correct URL is `http://cognito-idp.localhost.localstack-test.cloud:4566/_aws/cognito-idp/oauth2/token`. +To request the token from LocalStack the correct URL is `http://cognito-idp.localhost.localstack.cloud:4566/_aws/cognito-idp/oauth2/token`. In case that there is more than one user pool, LocalStack detects the right one by inspecting the `clientId` of the requests. Here is an example on how to set it up: From 4d496094a6a6a11c706c8a50fc9d0fddbb96aba2 Mon Sep 17 00:00:00 2001 From: eduardo <83775838+drauedo@users.noreply.github.com> Date: Wed, 30 Oct 2024 17:33:48 +0100 Subject: [PATCH 05/14] Setting generic name on example. Co-authored-by: usl-cto <73192050+usl-cto@users.noreply.github.com> --- content/en/user-guide/aws/cognito/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/user-guide/aws/cognito/index.md b/content/en/user-guide/aws/cognito/index.md index db2b2d7e0e..15af03e9b1 100644 --- a/content/en/user-guide/aws/cognito/index.md +++ b/content/en/user-guide/aws/cognito/index.md @@ -357,7 +357,7 @@ export client_secret=$(awslocal cognito-idp describe-user-pool-client --user-poo awslocal cognito-idp create-resource-server \ --user-pool-id $pool_id \ --identifier "api-client-organizations" \ - --name "vitalera API Clients Organizations Resource Server" \ + --name "Resource Server Name" \ --scopes '[{"ScopeName":"read","ScopeDescription":"Read access to Organizations"}]' ``` From f96c43a820a5a2dec108029e5e9e247f9ee799f8 Mon Sep 17 00:00:00 2001 From: Eduardo Date: Wed, 11 Dec 2024 16:10:39 +0100 Subject: [PATCH 06/14] Changing python script to js example --- content/en/user-guide/aws/cognito/index.md | 59 +++++++++++----------- 1 file changed, 30 insertions(+), 29 deletions(-) diff --git a/content/en/user-guide/aws/cognito/index.md b/content/en/user-guide/aws/cognito/index.md index 15af03e9b1..96286da2f1 100644 --- a/content/en/user-guide/aws/cognito/index.md +++ b/content/en/user-guide/aws/cognito/index.md @@ -344,9 +344,6 @@ In case that there is more than one user pool, LocalStack detects the right one Here is an example on how to set it up: ```sh -#Create user pool. -export pool_id=$(awslocal cognito-idp create-user-pool --pool-name test --username-configuration "CaseSensitive=False" | jq -rc ".UserPool.Id") - #Create client user pool with a client. export client_id=$(awslocal cognito-idp create-user-pool-client --user-pool-id $pool_id --client-name test-client --generate-secret | jq -rc ".UserPoolClient.ClientId") @@ -364,34 +361,38 @@ awslocal cognito-idp create-resource-server \ Then you could retrieve the token from your application like this: -```python -import requests, os -from requests.auth import HTTPBasicAuth - -def get_access_token_with_secret(): - client_id = os.environ['client_id'] - client_secret = os.environ['client_secret'] - scope = 'api-client-organizations/read' - url = 'http://cognito-idp.localhost.localstack.cloud:4566/_aws/cognito-idp/oauth2/token' - - - headers = { - 'Content-Type' : 'application/x-www-form-urlencoded' - } - - auth = HTTPBasicAuth(client_id,client_secret) - - payload = { - 'grant_type': 'client_credentials', - 'client_id':client_id, - 'scope':scope +```javascript +require('dotenv').config(); +const axios = require('axios'); + +async function getAccessTokenWithSecret() { + const clientId = process.env.client_id; + const clientSecret = process.env.client_secret; + const scope = 'api-client-organizations/read'; + const url = 'http://cognito-idp.localhost.localstack.cloud:4566/_aws/cognito-idp/oauth2/token'; + + const authHeader = Buffer.from(`${clientId}:${clientSecret}`).toString('base64'); + + const headers = { + 'Content-Type': 'application/x-www-form-urlencoded', + 'Authorization': `Basic ${authHeader}` + }; + + const payload = new URLSearchParams({ + grant_type: 'client_credentials', + client_id: clientId, + scope: scope + }); + + try { + const response = await axios.post(url, payload, { headers }); + console.log(response.data); + } catch (error) { + console.error('Error fetching access token:', error.response ? error.response.data : error.message); } - response = requests.post(url,headers=headers,auth=auth,data=payload) - - print(response.content) +} -if __name__ == "__main__": - get_access_token_with_secret() +getAccessTokenWithSecret(); ``` ## Serverless and Cognito From 21342ddcb12105f877e2c8468838ea7736b5ab68 Mon Sep 17 00:00:00 2001 From: Eduardo Date: Thu, 12 Dec 2024 08:57:38 +0100 Subject: [PATCH 07/14] Adding mention to internal endpoints documentation --- content/en/user-guide/aws/cognito/index.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/content/en/user-guide/aws/cognito/index.md b/content/en/user-guide/aws/cognito/index.md index 96286da2f1..f52622ef02 100644 --- a/content/en/user-guide/aws/cognito/index.md +++ b/content/en/user-guide/aws/cognito/index.md @@ -359,7 +359,8 @@ awslocal cognito-idp create-resource-server \ ``` -Then you could retrieve the token from your application like this: +Then you can retrieve the token from your application by using the `http://cognito-idp.localhost.localstack.cloud:4566/_aws/cognito-idp/oauth2/token` endpoint. +For additional information on our endpoints you can check our [Internal Endpoints](https://docs.localstack.cloud/references/internal-endpoints/) documentation. ```javascript require('dotenv').config(); From 6c2f9f8cdb9a043b162f30451cbefcdda65e68d0 Mon Sep 17 00:00:00 2001 From: Eduardo Date: Thu, 12 Dec 2024 09:07:36 +0100 Subject: [PATCH 08/14] Fixing lint issue --- content/en/user-guide/aws/cognito/index.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/content/en/user-guide/aws/cognito/index.md b/content/en/user-guide/aws/cognito/index.md index f52622ef02..b0015929ce 100644 --- a/content/en/user-guide/aws/cognito/index.md +++ b/content/en/user-guide/aws/cognito/index.md @@ -339,6 +339,8 @@ The client credentials grant allows for scope-based authorization from a non-int Your app can directly request client credentials from the token endpoint to receive an access token. To request the token from LocalStack the correct URL is `http://cognito-idp.localhost.localstack.cloud:4566/_aws/cognito-idp/oauth2/token`. +For additional information on our endpoints you can check our [Internal Endpoints](https://docs.localstack.cloud/references/internal-endpoints/) documentation. + In case that there is more than one user pool, LocalStack detects the right one by inspecting the `clientId` of the requests. Here is an example on how to set it up: @@ -359,8 +361,7 @@ awslocal cognito-idp create-resource-server \ ``` -Then you can retrieve the token from your application by using the `http://cognito-idp.localhost.localstack.cloud:4566/_aws/cognito-idp/oauth2/token` endpoint. -For additional information on our endpoints you can check our [Internal Endpoints](https://docs.localstack.cloud/references/internal-endpoints/) documentation. +Then you can retrieve the token from your application by using the mentioned endpoint: `http://cognito-idp.localhost.localstack.cloud:4566/_aws/cognito-idp/oauth2/token` endpoint. ```javascript require('dotenv').config(); From 3351507c2d72788b3fc19278df0d1d26d27e1baf Mon Sep 17 00:00:00 2001 From: eduardo <83775838+drauedo@users.noreply.github.com> Date: Thu, 12 Dec 2024 09:55:01 +0100 Subject: [PATCH 09/14] Update content/en/user-guide/aws/cognito/index.md Co-authored-by: MarcelStranak --- content/en/user-guide/aws/cognito/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/user-guide/aws/cognito/index.md b/content/en/user-guide/aws/cognito/index.md index b0015929ce..bf18a21e82 100644 --- a/content/en/user-guide/aws/cognito/index.md +++ b/content/en/user-guide/aws/cognito/index.md @@ -334,7 +334,7 @@ Ensuring this match is crucial for the proper functioning of the authentication ### Client credentials grant The client credentials grant is designed for machine-to-machine (M2M) communication. -In contrast, the authorization code and implicit grants provide tokens to authenticated human users. +The Client Credentials Grant allows the machine (client) to authenticate itself directly with the authorization server using its credentials, such as a client ID and client secret. The client credentials grant allows for scope-based authorization from a non-interactive system to an API. Your app can directly request client credentials from the token endpoint to receive an access token. From 3ed93c9aa79c02351441d593c61a9fb7388ff182 Mon Sep 17 00:00:00 2001 From: eduardo <83775838+drauedo@users.noreply.github.com> Date: Thu, 12 Dec 2024 09:55:23 +0100 Subject: [PATCH 10/14] Update content/en/user-guide/aws/cognito/index.md Co-authored-by: MarcelStranak --- content/en/user-guide/aws/cognito/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/user-guide/aws/cognito/index.md b/content/en/user-guide/aws/cognito/index.md index bf18a21e82..113d453ad1 100644 --- a/content/en/user-guide/aws/cognito/index.md +++ b/content/en/user-guide/aws/cognito/index.md @@ -338,7 +338,7 @@ The Client Credentials Grant allows the machine (client) to authenticate itself The client credentials grant allows for scope-based authorization from a non-interactive system to an API. Your app can directly request client credentials from the token endpoint to receive an access token. -To request the token from LocalStack the correct URL is `http://cognito-idp.localhost.localstack.cloud:4566/_aws/cognito-idp/oauth2/token`. +To request the token from the LocalStack URL, use the following endpoint: `://cognito-idp.localhost.localstack.cloud:4566/_aws/cognito-idp/oauth2/token`. For additional information on our endpoints you can check our [Internal Endpoints](https://docs.localstack.cloud/references/internal-endpoints/) documentation. In case that there is more than one user pool, LocalStack detects the right one by inspecting the `clientId` of the requests. From 9de479d1ca311c49ab37a6476aef23266962332f Mon Sep 17 00:00:00 2001 From: eduardo <83775838+drauedo@users.noreply.github.com> Date: Thu, 12 Dec 2024 09:55:30 +0100 Subject: [PATCH 11/14] Update content/en/user-guide/aws/cognito/index.md Co-authored-by: MarcelStranak --- content/en/user-guide/aws/cognito/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/user-guide/aws/cognito/index.md b/content/en/user-guide/aws/cognito/index.md index 113d453ad1..d14a34daec 100644 --- a/content/en/user-guide/aws/cognito/index.md +++ b/content/en/user-guide/aws/cognito/index.md @@ -341,7 +341,7 @@ Your app can directly request client credentials from the token endpoint to rece To request the token from the LocalStack URL, use the following endpoint: `://cognito-idp.localhost.localstack.cloud:4566/_aws/cognito-idp/oauth2/token`. For additional information on our endpoints you can check our [Internal Endpoints](https://docs.localstack.cloud/references/internal-endpoints/) documentation. -In case that there is more than one user pool, LocalStack detects the right one by inspecting the `clientId` of the requests. +If there are multiple user pools, LocalStack identifies the appropriate one by examining the `clientid` of the request. Here is an example on how to set it up: From cd4583d95efcb1c69d4f2b52b5867b9ba1ff8d28 Mon Sep 17 00:00:00 2001 From: eduardo <83775838+drauedo@users.noreply.github.com> Date: Thu, 12 Dec 2024 09:55:49 +0100 Subject: [PATCH 12/14] Update content/en/user-guide/aws/cognito/index.md Co-authored-by: MarcelStranak --- content/en/user-guide/aws/cognito/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/user-guide/aws/cognito/index.md b/content/en/user-guide/aws/cognito/index.md index d14a34daec..834e0bd29e 100644 --- a/content/en/user-guide/aws/cognito/index.md +++ b/content/en/user-guide/aws/cognito/index.md @@ -343,7 +343,7 @@ For additional information on our endpoints you can check our [Internal Endpoint If there are multiple user pools, LocalStack identifies the appropriate one by examining the `clientid` of the request. -Here is an example on how to set it up: +To get started, follow the example below: ```sh #Create client user pool with a client. From 29b354fda2202f9048b92d0dce6fc9bf0b3b79bc Mon Sep 17 00:00:00 2001 From: eduardo <83775838+drauedo@users.noreply.github.com> Date: Thu, 12 Dec 2024 09:56:03 +0100 Subject: [PATCH 13/14] Update content/en/user-guide/aws/cognito/index.md Co-authored-by: MarcelStranak --- content/en/user-guide/aws/cognito/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/user-guide/aws/cognito/index.md b/content/en/user-guide/aws/cognito/index.md index 834e0bd29e..cb89aa3916 100644 --- a/content/en/user-guide/aws/cognito/index.md +++ b/content/en/user-guide/aws/cognito/index.md @@ -361,7 +361,7 @@ awslocal cognito-idp create-resource-server \ ``` -Then you can retrieve the token from your application by using the mentioned endpoint: `http://cognito-idp.localhost.localstack.cloud:4566/_aws/cognito-idp/oauth2/token` endpoint. +You can retrieve the token from your application using the specified endpoint: `http://cognito-idp.localhost.localstack.cloud:4566/_aws/cognito-idp/oauth2/token`. ```javascript require('dotenv').config(); From a6c696f9b82b5b190bd99327091e46d6a83b8101 Mon Sep 17 00:00:00 2001 From: eduardo <83775838+drauedo@users.noreply.github.com> Date: Thu, 12 Dec 2024 09:56:17 +0100 Subject: [PATCH 14/14] Update content/en/user-guide/aws/cognito/index.md Co-authored-by: MarcelStranak --- content/en/user-guide/aws/cognito/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/user-guide/aws/cognito/index.md b/content/en/user-guide/aws/cognito/index.md index cb89aa3916..2069e55c7e 100644 --- a/content/en/user-guide/aws/cognito/index.md +++ b/content/en/user-guide/aws/cognito/index.md @@ -339,7 +339,7 @@ The client credentials grant allows for scope-based authorization from a non-int Your app can directly request client credentials from the token endpoint to receive an access token. To request the token from the LocalStack URL, use the following endpoint: `://cognito-idp.localhost.localstack.cloud:4566/_aws/cognito-idp/oauth2/token`. -For additional information on our endpoints you can check our [Internal Endpoints](https://docs.localstack.cloud/references/internal-endpoints/) documentation. +For additional information on our endpoints, refer to our [Internal Endpoints](https://docs.localstack.cloud/references/internal-endpoints/) documentation. If there are multiple user pools, LocalStack identifies the appropriate one by examining the `clientid` of the request.