Amazon Cognito: Where do I get the initial token for the initiatiateAuth function?

Question

I'm looking at the java sdk https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html

and the valid values for the required Auth flow is

Valid Values: USER_SRP_AUTH | REFRESH_TOKEN_AUTH | REFRESH_TOKEN | CUSTOM_AUTH | ADMIN_NO_SRP_AUTH

on an initial login (say the user is already signed up and logs in with a username and password).

I imagine I would want to use the REFRESH_TOKEN to refresh a token but where does the initial token come from? What would an example initiateAuth call look like?

Answer 1

An example InitiateAuth call (in AWS CLI) would look like :

aws cognito-idp initiate-auth --client-id 1jtj0a0peedlgfdhml3dr5t8j --auth-flow USER_SRP_AUTH --auth-parameters USERNAME=myuser,SRP_A=''

This call requires an SRP_A parameter which needs to be calculated. After this call, you get a CHALLENGE in the response and would need to make a RespondToAuthChallenge API call. Again, this would need a calculated value and generating it is pretty cumbersome. You would need to use some third party libraries (python or nodejs) to calculate SRP_A and the challenge response parameter. That's why it is always recommended to use the AWS Mobile SDKs (Javascript, Android, iOS) for making InitiateAuth call. These SDKs abstract away these low-level API calls & calculations. You just need to set some parameters & call a function.

That being said, if you still want to make InitiateAuth API calls (direct HTTP calls or AWS CLI calls), take a look at this stackoverflow post. You will get an idea about SRP calculations. Also, checkout this python library called Warrant, especially this page.

Also, the doc you referenced is the REST API reference, not Java SDK.