AWS Cognito SSO Integration with Python

AWS Cognito SSO Integration with Python

AWS SSO Cognito OAuth2.0 implementation as per below URL:

https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/

First we need to create code, get Client ID and Client Secret. Run below URL:

https://AUTH_DOMAIN/login?client_id=XXXXXXXXXX&response_type=code&scope=email+openid&redirect_uri=http://localhost/test/sso_check

Above URL will return to redirect url with code in query string.

Note: Code is valid for one time transaction only.

Get Access Token using the Code as per below description:

Make below request:

this will return below response:

{

    "id_token": "eyJraWQiOiJJNGs2UXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",

    "access_token": "eyJraWQiOiJENllqdXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",

    "refresh_token": "eyJjdHkiOiJKV1QiLCJlbmXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",

    "expires_in": 3600,

    "token_type": "Bearer"

}

From above response we need to use id_token to get user information:

• id_token – A valid user pool ID token. Note that an ID token is only provided if the openid scope was requested.

Below is the Python code Github URL to get user information by validating JWT token returned in id_token key.

https://github.com/awslabs/aws-support-tools/tree/master/Cognito/decode-verify-jwt

https://github.com/awslabs/aws-support-tools/blob/master/Cognito/decode-verify-jwt/decode-verify-jwt.py

Below is the response from above Python code: