Security in digital world

in AWS, Basic security, Security

OAuth2: Postman with AWS Cognito with Authorization code grant


  1. AWS Cognito user pool with users
  2. Postman
  3. Setup AWS Cognito Domain or custom domain (Detailed instructions below)
  4. AWS Cognito / User pool / App Integration also called “client” (Detailed instructions below)

Basic concepts

(Feel free to skip to the section: Setup AWS Cognito User pool)

About Postman

Postman is a popular API development and testing tool used by developers to build, test, and document APIs quickly and easily. It provides a user-friendly interface that simplifies the process of sending HTTP requests, testing responses, and validating APIs.

About AWS Cognito

AWS Cognito is a fully managed identity service provided by Amazon Web Services. It provides user authentication, authorization, and user management functionality, making it easy for developers to add user sign-up, sign-in, and access control to their applications.

About Oauth2

OAuth2 is an authorization framework used to secure APIs and web applications. It provides a standardized way for applications to access user resources on behalf of the user without requiring the user’s credentials to be shared with the application.

There are multiple ways to get the access token with OAuth2:

Authorization Code Grant: This grant type is used by web applications to obtain access tokens from an authorization server on behalf of a user. The user is redirected to the authorization server’s login page, and after successful authentication, the authorization server issues an authorization code that the client can exchange for an access token.

Implicit Grant: This grant type is used by single-page applications (SPAs) to obtain access tokens from an authorization server. The access token is issued directly to the client without the need for an authorization code exchange. The implicit grant is less secure than the authorization code grant, as the access token is exposed in the browser.

Resource Owner Password Credentials Grant: This grant type is used when the client already has the user’s username and password and wants to obtain an access token from the authorization server. This grant type is often used by trusted clients such as mobile or desktop applications.

Client Credentials Grant: This grant type is used when the client needs to access its own resources rather than user resources. The client provides its client ID and secret to the authorization server, and the server issues an access token to the client.

Refresh Token Grant: This grant type is used to obtain a new access token from the authorization server using a refresh token that was issued with a previous access token. The refresh token can be used to obtain a new access token without requiring the user to re-authenticate.

Authorization Code Grant

Is Authorization code grant the right way to generate a token for testing of your API? The short answer is no. There is a need to have a user logging manually. For automated tested with Postman / Newman I would prefer to use Implicit Grant. Although, Authorization Code Grant is used in many cases to give third party apps access to an API.

In this guide we will cover only Authorization Code Grant although, with some modifications you could enable some of the other grants.

1. Setup AWS Cognito User pool – App integration

Go to your AWS Cognito User pool and click in the [App integration] tab.

1. Create the Cognito Domain or custom domain

In domain section Click on the “Actions ^” dropdown button and select “Create Cognito Domain”.

The result will look something like: https://(user_pool_name).auth.(aws_region) Take a note of it.

2. Create or setup an App Integration or Client

Scroll down to the “App clients and analytics” section.

Note: If you already have a App client you can use it.

If you do not have an App Client, create one clicking [Create app client].

App TypePublic client
App client namePostman or anything you need
Client secretDon’t generate a client secret
React only supports clients without secret at the time of the article.
Identity providersCognito user pool
OAuth 2.0 grant typesAuthorization code grant

Click on [Create app client] and annotate the client_id code.


Collection > Authorization tab

TypeOAuth 2.0
Section: Configure New Token
Tab: Configuration options
Token NameAuthorization
Grant TypeAuthorization Code
Check Authorize using browser
Auth URLhttps://(user_pool_name).auth.(aws_region)
The domain name generated in (1) + /login
Access Token URLhttps://(user_pool_name).auth.(aws_region)
The domain name generated in (1) + /auth2/token
Client iddsf2132312sfdfasfds12312
The client id generated in (2)
Client AuthenticationSend client credentials in body

Get New Access Token

To get a new access token from AWS Cognito to use in Postman you just need to go to the Authorization tab. Then, click the orange button [Get New Access Token].

Postman will open a new browser tab to the Auth URL you have setup, where you can log in. After, Cognito will redirect you to with an authorization code. The site would request permission to open Postman, which will read the authorization code from the URI and send it to Access Token URL and exchange for an Access Token and Id Token.

Now you are ready to call your API with Postman.

Write a Comment