ExAzureCore. Auth. FederationTokenProvider. AwsCognito
(ex_azure_core v0.2.0)
Copy Markdown
AWS Cognito implementation for federated token provider.
Supports both basic and enhanced authentication flows for retrieving identity tokens from AWS Cognito Identity pools.
Authentication flows
:basic- callsGetOpenIdTokenwith an existing CognitoIdentityId.:enhanced- callsGetOpenIdTokenForDeveloperIdentitywith the identity pool id and a:loginsmap (developer-authenticated identities).
Pinning a Cognito IdentityId in the enhanced flow
In the enhanced flow the first argument is the identity pool id, not a
Cognito IdentityId. By default GetOpenIdTokenForDeveloperIdentity resolves
the developer-user-identifier from :logins to an existing identity, or
creates a new one when none matches. That implicit resolve-or-create runs on
every token refresh, so a new identity can be minted whenever resolution
fails, and the OIDC token's subject (the IdentityId) drifts away from the
one that was federated into Azure.
Pass :cognito_identity_id to pin the exact identity established at setup. It
is forwarded as the IdentityId argument so Cognito reuses that identity
instead of resolving or creating one per refresh:
AwsCognito.get_token(pool_id,
auth_type: :enhanced,
logins: %{"your-developer-provider" => client_id},
cognito_identity_id: "us-east-1:12345678-1234-1234-1234-123456789012"
)