Open in app

Sign in

Write

Sign in

AWS Cognito Logo

Client Credentials Flow On AWS Cognito

Onurcan Yılmaz
3 min readOct 13, 2023

Client Credentials is a part of the OAuth 2.0 authorization protocol. This protocol allows applications and services to manage authentication when accessing server resources. Also known as the Client Credentials Flow, this authentication method enables an application or service to use its own credentials instead of a specific user’s credentials for authentication.

Client Credentials typically work with the following components:

  1. Client ID : This is a public identifier for the application or service. It is presented to the server along with the Client Secret to request access to a resource.
  2. Client Secret: This is a secret key known only to the owner of the application. The Client Secret is sent to the server along with the Client ID and is used in the authentication process.

Client credentials flow is mainly used for either machine to machine services or third party services.

Let’s assume we have a user pool that created basically for emails. We’ll be covered user pool creation steps on another article.

Create A Cognito Domain

Cognito Domain is a name where authentication endpoints will be created.

https://your_domain_url.auth.eu-central-1.amazoncognito.com/oauth2/token

Creating A Resource Server

You can reach more information for Resource server.

RFC 6749 — The OAuth 2.0 Authorization Framework (ietf.org)

We should add a custom scope that use in the resource server. I have created a scope for sample.

Creating An App Client

App clients are the user pool authentication resources attached to your app.

Let’s create an app client for client credentials flow

  • Give a name for app client
  • Check generate a client secret radio button(it’s optional)
  • For now, we can pass rest of settings as default.

Hosted UI Settings

Hosted UI(under the app client) provides an interface for managing sign-in and sign-up operations. Also supports OAuth 2.0 specifications as you see.

We have to choose Client Credentials under the OAuth2.0 grant types section. Then we should choose custom scope that we’ve created before.

Testing

All is set. Now let’s open Postman and prepare request for client credentials flow.

When we trigger the above example. We should see the result like this

{
    "access_token": "eyJraWQiOiJhUWZhRjBGXC9zSVIzeXJFN3.....",
    "expires_in": 3600,
    "token_type": "Bearer"
}

Let’s resolve access_token

{
  "iat" : 1697231443,
  "jti" : "de9ae793-e07f-4e65-8160-861b066a2dab",
  "sub" : "252uq7hon84ch86tc2vob",
  "scope" : "your_resource_server\/order.write",
  "auth_time" : 1697231443,
  "exp" : 1697235043,
  "token_use" : "access",
  "version" : 2,
  "client_id" : "my_client_id",
  "iss" : "https:\/\/cognito-idp.eu-central-1.amazonaws.com\/your_user_pool_id"
}

Conclusion

AWS Cognito offers a powerful and robust solution for implementing application-level authentication and securing access to your resources. The Client Credentials flow is a valuable tool that allows your applications to securely access their own resources and data. By understanding the steps involved and configuring the necessary settings, you can enhance the security and efficiency of your applications, particularly in scenarios such as API access and automation.

AWS
Oauth2
Client Credentials Flow
Cognito

--

--

Onurcan Yılmaz

Written by Onurcan Yılmaz

13 Followers

Software Developer at BtcTurk

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams