如何使用 boto3 在 Python 中以管理员身份从 AWS Cognito 获取 JWT 访问令牌？

Question

I am trying to write an API test in Python for my web service. I would like to avoid using the password of the test user from my AWS Cognito pool. My strategy for this, and let me know if there's a better way here, is to require that the API test be run with Cognito admin privileges. Then use the boto3 library to get the JWT AccessToken for the user which I will add to the header of every request for the API test.

The documentation doesn't seem to give me a way to get the AccessToken. I'm trying to use this here: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/cognito-idp.html#CognitoIdentityProvider.Client.admin_initiate_auth

admin_initiate_auth needs one of three auth modes. USER_PASSWORD_AUTH requires the password, USER_SRP_AUTH requires a client secret, CUSTOM_AUTH requires a secret hash. I'm hoping to find a way to write this script so that I just need to have the right IAM privileges and not need to check in a public test user password.

Or... I guess... be told that this is not a great way to be doing this and that another way is more appropriate. The end goal is to have an API black box test for a service that is secured by Cognito.

Answer 1

For my own project, I was also thinking a similar strategy to test Cognito-protected APIs.

I think making a temporary user with a random password for each test run is a fair approach.

To create a user from command line, I think there are simpler cognito API calls, which are sign-up and admin-confirm-sign-up provided in cognito-idp CLI tool. With this, you can skip the steps to resolve the challenges and the user is ready to use.

If you want to use boto3, here is a simple function to create a new user:

def create_user(username: str, password: str, 
                user_pool_id: str, app_client_id: str) -> None:
    client = boto3.client('cognito-idp')

    # initial sign up
    resp = client.sign_up(
        ClientId=app_client_id,
        Username=username,
        Password=password,
        UserAttributes=[
            {
                'Name': 'email',
                'Value': 'test@test.com'
            },
        ]
    )

    # then confirm signup
    resp = client.admin_confirm_sign_up(
        UserPoolId=user_pool_id,
        Username=username
    )

    print("User successfully created.")

Then, to obtain JWT,

def authenticate_and_get_token(username: str, password: str, 
                               user_pool_id: str, app_client_id: str) -> None:
    client = boto3.client('cognito-idp')

    resp = client.admin_initiate_auth(
        UserPoolId=user_pool_id,
        ClientId=app_client_id,
        AuthFlow='ADMIN_NO_SRP_AUTH',
        AuthParameters={
            "USERNAME": username,
            "PASSWORD": password
        }
    )

    print("Log in success")
    print("Access token:", resp['AuthenticationResult']['AccessToken'])
    print("ID token:", resp['AuthenticationResult']['IdToken'])

Answer 2

If the API test must be secured using Cognito, you're always going to need some kind of password. The best way I can think of to avoid storing it is to create a temporary user before running the test suite, and then delete it when finished.

You can use AdminCreateUser to accomplish this. Generate a new password at runtime and pass it as the temporary password for the user, along with SUPRESS specified for MessageAction . The temporary password is good for one login, which is all you need in this use case. Then you can run AdminInitiateAuth with the ADMIN_NO_SRP_AUTH auth mode, specifying your generated password. Cleanup with AdminDeleteUser after the tests have finished.

Answer 3

To expand on @xlem's answer and @mmachenry's comment with an example:

Using the Cognito client of AWS SDK

1. "AdminCreateUser" flow will create the user.
2. "AdminSetPassword" will clear the FORCE_PASSWORD_CHANGE state
3. "AdminInitiateAuth" will return the token

@pytest.fixture()
def given_a_new_user_token(request):
    client = boto3.client("cognito-idp")
    user_pool_id = "eu-west-2_xxxxxxxxx"
    username = f"test_user-{uuid.uuid4().hex}"
    temp_pwd = f"{uuid.uuid4().hex}"
    ci_test_client_id, secret_hash = get_cognito_secrets(username)

    user_response = client.admin_create_user(
        UserPoolId=user_pool_id,
        Username=username,
        UserAttributes=[
            {"Name": "email", "Value": f"{username}@example.com"},
        ],
        TemporaryPassword=temp_pwd,
        ForceAliasCreation=False,
        MessageAction="SUPPRESS",
        DesiredDeliveryMediums=[
            "EMAIL",
        ],
    )
    assert user_response["ResponseMetadata"]["HTTPStatusCode"] == 200

    def delete_user():
        client.admin_delete_user(
            UserPoolId=user_pool_id,
            Username=username,
        )

    request.addfinalizer(delete_user)

    set_pwd_response = client.admin_set_user_password(
        UserPoolId=user_pool_id,
        Username=username,
        Password=temp_pwd,
        Permanent=True
    )
    assert set_pwd_response["ResponseMetadata"]["HTTPStatusCode"] == 200

    auth_info = client.admin_initiate_auth(
        UserPoolId=user_pool_id,
        ClientId=ci_test_client_id,
        AuthFlow="ADMIN_NO_SRP_AUTH",
        AuthParameters={
            "USERNAME": username,
            "PASSWORD": temp_pwd,
            "SECRET_HASH": secret_hash,
        },
    )
    assert auth_info["ResponseMetadata"]["HTTPStatusCode"] == 200

    return auth_info["AuthenticationResult"]["AccessToken"]


def get_cognito_secrets(username: str) -> Tuple[str, str]:

    ci_test_client_id = "client_id_xxxxxxx"
    ci_test_client_secret = "client_secret_xxxxx"

    # convert str to bytes
    key = bytes(ci_test_client_secret, 'latin-1')
    msg = bytes(username + ci_test_client_id, 'latin-1')

    new_digest = hmac.new(key, msg, hashlib.sha256).digest()
    secret_hash = base64.b64encode(new_digest).decode()
    return ci_test_client_id, secret_hash