AWS Cognito — Client credentials flow .NET 6

AWS Cognito User pool creation

Navigate to the AWS Cognito service page

Click on create user pool

Step 1: Configure sign-in experience

Select Email and click next

Step 2: Configure security requirements

• Under password policy select cognito defaults
• Under Multi-factor authentication select No MFA
• Under User account recovery select Enable self-service account recovery and then Email Only
• Click next

Step 3: Configure sign-up experience

Keep all selections as default and click next

Step 4: Configure message delivery

Select Send email with Cognito and keep the rest of the configuration as default then click next

Step 5: Integrate your app

• Configure the User pool name with your preferred naming convention
• Select Confidential client
• Configure the App client name
• Click next

Step 6: Review and create

• Review your configuration
• Click Create user pool

User Pools

See your created user pool

Application configuration and resource server creation

Navigate to your created user pool

Navigate to the App Integration tab

Step 1: Create Domain

• On the Domain section click on Actions and then click on Create Cogniro domain
• Enter a unique domain prefix
• Click Create Cognito domain

Step 2: Create Resource server

• Click Create resource server
• Configure the resource server name and identifier
• Create custom scopes for your application to use when authenticating
• Click create resource server

Step 3: Configure client application

• Select the app client you created
• Under Hosted UI click edit
• Under Hosted sign-up and sign-in pages select the identity provider cognito user pool
• Select Client Credentials OAuth 2.0 Grant type
• Select the custom scope you created and want to assign to the application
• Click Save changes

Create Weather API

Step 1: Create API

Create a API project if you don’t have one

Step 2: Add NuGet packages

Add the following NuGet packages:

• https://www.nuget.org/packages/Amazon.AspNetCore.Identity.Cognito/
• https://www.nuget.org/packages/Microsoft.AspNetCore.Authentication.JwtBearer/

Step 3: Setup auth in Program.cs

Add this block of code to the Program.cs under the builder.

builder.Services.AddCognitoIdentity();

builder.Services.AddAuthentication(options =>
{
    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
    options.Authority = builder.Configuration["AWSCognito:Authority"];
    options.TokenValidationParameters = new TokenValidationParameters
    {
        ValidateIssuerSigningKey = true,
                ValidateAudience = false
    };
});

Add the following under app.UseHttpsRedirection(); in Program.cs

app.UseAuthentication();
app.UseAuthorization();

Add the following using's to the Program.cs

using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.IdentityModel.Tokens;

Your Program.cs will end up looking like this when you’re done.

using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.IdentityModel.Tokens;

var builder = WebApplication.CreateBuilder(args);

// Add services to the container.

builder.Services.AddControllers();
// Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen();

builder.Services.AddCognitoIdentity();

builder.Services.AddAuthentication(options =>
{
    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
    options.Authority = builder.Configuration["AWSCognito:Authority"];
    options.TokenValidationParameters = new TokenValidationParameters
    {
        ValidateIssuerSigningKey = true,
        ValidateAudience = false
    };
});

var app = builder.Build();

// Configure the HTTP request pipeline.
if (app.Environment.IsDevelopment())
{
    app.UseSwagger();
    app.UseSwaggerUI();
}

app.UseHttpsRedirection();

app.UseAuthentication();
app.UseAuthorization();

app.MapControllers();

app.Run();

Step 4: Setup configuration file

Add this section to the appsettings.Development.json file

This URL for the authority is made up of the following

https://cognito-idp.{region}.amazonaws.com/{userpoolid}

  "AWSCognito": {
    "Authority": "[https://cognito-idp](https://cognito-idp/).{region}.amazonaws.com/{userpoolid}"
  }

You can find the user pool id in AWS on the Amazon Cognito page under user pools

Step 5: Add authorize attribute to GetWeatherForecast endpoint

In the WeatherForecastController.cs add the Authorize attribute to the GetWeatherForecast endpoint and add Microsoft.AspNetCore.Authorization to the usings.

using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;

namespace AWSCognitoWeatherAPI.Controllers
{
    [ApiController]
    [Route("[controller]")]
    public class WeatherForecastController : ControllerBase
    {
        private static readonly string[] Summaries = new[]
        {
        "Freezing", "Bracing", "Chilly", "Cool", "Mild", "Warm", "Balmy", "Hot", "Sweltering", "Scorching"
    };

        private readonly ILogger<WeatherForecastController> _logger;

        public WeatherForecastController(ILogger<WeatherForecastController> logger)
        {
            _logger = logger;
        }

        [Authorize]
        [HttpGet(Name = "GetWeatherForecast")]
        public IEnumerable<WeatherForecast> Get()
        {
            return Enumerable.Range(1, 5).Select(index => new WeatherForecast
            {
                Date = DateTime.Now.AddDays(index),
                TemperatureC = Random.Shared.Next(-20, 55),
                Summary = Summaries[Random.Shared.Next(Summaries.Length)]
            })
            .ToArray();
        }
    }
}

Call the Weather Forecast API using Postman

Step 1: Create new collection

• Create a new collection for the API
• Add new request to the collection for the weather forcast endpoint (https://localhost:7214/WeatherForecast)

Step 2: Setup Collection Auth

• Click on the Weather Forcast API collection and navigate to the Authorization tab
• From the Type dropdown select OAuth 2.0
• In the Configure New Token Section give the token a name
• In Grant Type dropdown select Client Credentials
• In the app integration section of the user pool in AWS get the domain url
• Add the domain to the Access Token URL section in postman and append it with /oauth2/token
• Get the client id from the client app in AWS
• Get the client secret from the client app in AWS
• Get the custom scope form the Hosted UI
• Add the clientid, client secret and scope in postman
• Click get new access token
• Click use token on the pop-up
• On the Weather Forecast request under the Authorization tab ensure the Type is set to Inherit auth from parent.

Step 3: Call the Weather API

Click send on the weather forecast request to get the response on the API

It’s as easy as that !🎉

You can have a look at the repo below to find the full codebase.
https://github.com/Bassonrichard/aws-cognito-weather-api

Comments

[Arlemi]

The last image doesn't load for me. :( Great article otherwise!

[Richard Basson]

I will try fix it , the editor bugged out a bit with all the images 😁

[Ivan Kovalenko]

How to create controller for sign up and sign in? :)