是否可以使用访问令牌访问 AWS Cognito API？

Question

I have a simple application consisting of two modules - OAuth2 client (Spring Cloud Gateway) and OAuth2 resource. I use AWS Cognito as an identity provider. Some users with specific roles should be able to create/update/delete other Cognito users.

I'm going to use aws-java-sdk-cognitoidp library for integration with AWS Cognito API, but I need to make this calls as a current logged-in user, to be able to check user's groups and IAM roles. Because users from different groups should have different privileges.

I found AWSSessionCredentialsProvider that seems suitable for this task, but there is no implementation.

I implemented this provider to get access token from the SecurityContext . When I call the API I get an error:

The security token included in the request is invalid

Is it possible to use user's access token as a credentials for AWSCognitoIdentityProvider ?

Answer 1

I used to have app to login with given user with his credentials -

AWSCognitoIdentityProvider cognitoIdentityProvider = AWSCognitoIdentityProviderClientBuilder
                .standard()
                .withCredentials(new AWSStaticCredentialsProvider(getSDKCredentials()))
                .withRegion(Regions.fromName(getAwsRegion()))
                .build();

    Map<String,String> params =new HashMap<>();
        params.put("USERNAME", userName);
        params.put("PASSWORD", passCode);

    AdminInitiateAuthRequest initialRequest=new AdminInitiateAuthRequest()
            .withAuthFlow(AuthFlowType.ADMIN_NO_SRP_AUTH)
            .withAuthParameters(params)
            .withClientId(getClientId())
            .withUserPoolId(getUserPoolId());

    AdminInitiateAuthResult response = cognitoIdentityProvider.adminInitiateAuth(initialRequest);

this will return your response where you have session. check if it helps-