- AWS Cognito user pool with users
- Setup AWS Cognito Domain or custom domain (Detailed instructions below)
- AWS Cognito / User pool / App Integration also called “client” (Detailed instructions below)
(Feel free to skip to the section: Setup AWS Cognito User pool)
Postman https://www.postman.com/ is a popular API development and testing tool used by developers to build, test, and document APIs quickly and easily. It provides a user-friendly interface that simplifies the process of sending HTTP requests, testing responses, and validating APIs.
About AWS Cognito
AWS Cognito https://aws.amazon.com/cognito/ is a fully managed identity service provided by Amazon Web Services. It provides user authentication, authorization, and user management functionality, making it easy for developers to add user sign-up, sign-in, and access control to their applications.
OAuth2 is an authorization framework used to secure APIs and web applications. It provides a standardized way for applications to access user resources on behalf of the user without requiring the user’s credentials to be shared with the application.
There are multiple ways to get the access token with OAuth2:
Authorization Code Grant: This grant type is used by web applications to obtain access tokens from an authorization server on behalf of a user. The user is redirected to the authorization server’s login page, and after successful authentication, the authorization server issues an authorization code that the client can exchange for an access token.
Implicit Grant: This grant type is used by single-page applications (SPAs) to obtain access tokens from an authorization server. The access token is issued directly to the client without the need for an authorization code exchange. The implicit grant is less secure than the authorization code grant, as the access token is exposed in the browser.
Resource Owner Password Credentials Grant: This grant type is used when the client already has the user’s username and password and wants to obtain an access token from the authorization server. This grant type is often used by trusted clients such as mobile or desktop applications.
Client Credentials Grant: This grant type is used when the client needs to access its own resources rather than user resources. The client provides its client ID and secret to the authorization server, and the server issues an access token to the client.
Refresh Token Grant: This grant type is used to obtain a new access token from the authorization server using a refresh token that was issued with a previous access token. The refresh token can be used to obtain a new access token without requiring the user to re-authenticate.
Authorization Code Grant
Is Authorization code grant the right way to generate a token for testing of your API? The short answer is no. There is a need to have a user logging manually. For automated tested with Postman / Newman I would prefer to use Implicit Grant. Although, Authorization Code Grant is used in many cases to give third party apps access to an API.
In this guide we will cover only Authorization Code Grant although, with some modifications you could enable some of the other grants.
1. Setup AWS Cognito User pool – App integration
Go to your AWS Cognito User pool and click in the [App integration] tab.
1. Create the Cognito Domain or custom domain
In domain section Click on the “Actions ^” dropdown button and select “Create Cognito Domain”.
The result will look something like: https://(user_pool_name).auth.(aws_region).amazoncognito.com. Take a note of it.
2. Create or setup an App Integration or Client
Scroll down to the “App clients and analytics” section.
Note: If you already have a App client you can use it.
If you do not have an App Client, create one clicking [Create app client].
|App Type||Public client|
|App client name||Postman or anything you need|
|Client secret||Don’t generate a client secret|
React only supports clients without secret at the time of the article.
|Authentication flows||ALLOW_CUSTOM_AUTH, ALLOW_USER_SRP_AUTH|
|Identity providers||Cognito user pool|
|OAuth 2.0 grant types||Authorization code grant|
Click on [Create app client] and annotate the client_id code.
Collection > Authorization tab
|Section: Configure New Token|
Tab: Configuration options
|Grant Type||Authorization Code|
Check Authorize using browser
The domain name generated in (1) + /login
|Access Token URL||https://(user_pool_name).auth.(aws_region).amazoncognito.com/oauth2/token|
The domain name generated in (1) + /auth2/token
The client id generated in (2)
|Client Authentication||Send client credentials in body|
Get New Access Token
To get a new access token from AWS Cognito to use in Postman you just need to go to the Authorization tab. Then, click the orange button [Get New Access Token].
Postman will open a new browser tab to the Auth URL you have setup, where you can log in. After, Cognito will redirect you to oauth.pstmn.io with an authorization code. The site would request permission to open Postman, which will read the authorization code from the URI and send it to Access Token URL and exchange for an Access Token and Id Token.
Now you are ready to call your API with Postman.