带有 Spring Boot 的 AWS Cognito 用户池服务器端流程

Question

I want to implement AWS Cognito server side flow with spring boot. I don't quite understand what the flow should be. Should I use spring oauth along with it ?

Requirement is something like this. As an admin create user and give access to these created users to use my API from API Gateway (Let's ignore API Gateway part and say we just need access token from cognito for now)

Here is what I think should happen if I use AWS cognito with spring oauth2

user hits localhost:8000/oauth/token - with basic authentication (username and password) which will do an API call with user credentials. User receives the token and uses it however he/she needs it.

1. Is this flow secure ? Should I use spring oauth along ?
2. How to handle respond to auth challenge ? Should user pass new password for first time when calling my application API ?

@RestController
public class Oauth {


    @PostMapping(path = "/oauth/token")
    public AdminInitiateAuthResult token(@RequestHeader("username") String username, @RequestHeader("password") String password) {

        AWSCognitoIdentityProvider provider = AWSCognitoIdentityProviderClientBuilder
                .standard()
                .withRegion(Regions.US_WEST_2)
                .withCredentials(new AWSStaticCredentialsProvider()).build();


        Map<String, String> authParams = new HashMap<>();

        authParams.put("USERNAME", username);
        authParams.put("PASSWORD", password);

        AdminInitiateAuthRequest adminInitiateAuthRequest = new AdminInitiateAuthRequest()
                .withClientId("{client-id}")
                .withUserPoolId("{user-pool-id}")
                .withAuthFlow(AuthFlowType.ADMIN_USER_PASSWORD_AUTH)
                .withAuthParameters(authParams);

        AdminInitiateAuthResult authResult = provider.adminInitiateAuth(adminInitiateAuthRequest);
        return authResult.getAuthenticationResult().getIdToken();
    }

}

Answer 1

Business requirement is quite simple there needs to be a pool of users (cognito in this case) who can get some kind of a token to access few APIs. I want to achieve this using spring boot, since the API is written using spring boot and also I use AWS Api Gateway

Should I use spring oauth along with it ?

No. Authorization is done by API Gateway.
API clients need to obtain token from Cognito (ie authenticate themselves there) before using API. There is no need to do anything on application (Spring) side.
Details are here .

If you want to implement authentication for API clients using Cognito, then see Cognito docs for examples and manuals.
FYI Application Load Balancer can be used to handle all authentication flow for API.