Hacking Cognito

Cognito

AWS Cognito is a managed service by AWS which helps you control access to AWS resource from your application. Cognito solves 2 major uses cases.

1. User Pools : Cognito lets you configure user management for your application which includes user Signin/Signup and Forget Passwords and hence stores all user data. The whole management is taken up by AWS and user just needs to create User Pools in cognito.

2. Fedrated indetity pools : Identity pools that allows authentiated and un-authenticated users to access AWS resource.

Cognito User flow

Authentication Flow

This shows how congito works for end application. User first performs signin and recives access token from Cognito. User then passes these access token to Cognito and receives back Secret keys for access to AWS Service.

User Pools

User Pools in Cognito allows you to manage users for your applications and helps you configure the Signin and Singup flow for users along with the redirect after successful authentication.

The below screenshot indicates a user pool called securitylabs-articles and also shows the user pool id.

User Pool Overview

The App Integration tab contains App clients which has the CLIENT_ID.

App Client List

Fedrated Identity Pools

Fedrated Identity Pools controls the access for authenticated and unauthenticated users for the application.

The screenshot indicates the idenitity pool id.

Fedrated Identity

Any authenticated requests sent to application is logged in Identity Browser. As indicated in the screenshot below, we see that a user with identityid us-east-2:85c7b6de-3a15-4b0a-a799-20df485734ab recently logged in successfully into the application.

Identity Pool

Clicking on the identityId reveals the user pool, user was associated with.

Identity Details

Cognito Authentication

Cognito allows authenticated and unauthenticated access to the application.

Unauthenticated Cognito Access

In authenticated Cognito access you just need the IDENTITY_POOL_ID which would allow you to fetch the STS tokens for unathenticated users.

IDENTITY_POOL_ID = "us-east-2:aac74edd-4d2c-4b8a-bb87-2064fc9ccd5b"
client = boto3.client('cognito-identity',region_name='us-east-2')
_id = client.get_id(IdentityPoolId=IDENTITY_POOL_ID)['IdentityId']

credentials = client.get_credentials_for_identity(IdentityId=_id)

print(credentials)

Credentials

Authenticated Cognito Access

In AWS Cognito authentication is handled by AWS where once done, it returns back TokenId which can be later used to fetch the STS tokens associated with the logged in user.

In this example we would discuss the USER_PASSWORD_AUTH which allows applications to login the user via email and password.

For example, let ClientId for the User Pool be ae90p5f6au1cqso7sbl0h0eae and credentials be securitylabs-articles@securitylabs.tech : vKEX@7Ti. In such cases, we can initiate the authenitcation and obtain the TokenId.

import boto3
client = boto3.client("cognito-idp", region_name="us-east-2")
response = client.initiate_auth(ClientId='1mf96jsi4jhs31qg2bq7p4lken',AuthFlow="USER_PASSWORD_AUTH",AuthParameters={"USERNAME":'securitylabs-articles@securitylabs.tech','PASSWORD':'vKEX@7Ti'})
tokenid = response['AuthenticationResult']['IdToken']

Once TokenId is obtained, we would move to fetch the IdentityId using the obtained TokenId. Lets assume the IdentityPoolId for the application is us-east-2:aac74edd-4d2c-4b8a-bb87-2064fc9ccd5b and Cognito User Pool Id is us-east-2_rIJHISTX7

identity=boto3.client("cognito-identity",region_name="us-east-2")
identity_id = identity.get_id(IdentityPoolId='us-east-2:aac74edd-4d2c-4b8a-bb87-2064fc9ccd5b',Logins={'cognito-idp.ap-south-1.amazonaws.com/ap-south-1_zWBLhpAlk':tokenid})['IdentityId']

Once we have obtained the IdentityId, we can now fetch the STS tokens

credentials = identity.get_credentials_for_identity(IdentityId='us-east-2:aac74edd-4d2c-4b8a-bb87-2064fc9ccd5b',Logins={'cognito-idp.ap-south-1.amazonaws.com/us-east-2_rIJHISTX7':tokenid})['Credentials']
access_key = credentials['AccessKeyId']
secret_key = credentials['SecretKey']
session_token = credentials['SessionToken']

We have now obtained the STS tokens for a authenticated user.