ExAzureCore.Auth.FederationTokenProvider.AwsCognito (ex_azure_core v0.2.0)

Copy Markdown

AWS Cognito implementation for federated token provider.

Supports both basic and enhanced authentication flows for retrieving identity tokens from AWS Cognito Identity pools.

Authentication flows

  • :basic - calls GetOpenIdToken with an existing Cognito IdentityId.
  • :enhanced - calls GetOpenIdTokenForDeveloperIdentity with the identity pool id and a :logins map (developer-authenticated identities).

Pinning a Cognito IdentityId in the enhanced flow

In the enhanced flow the first argument is the identity pool id, not a Cognito IdentityId. By default GetOpenIdTokenForDeveloperIdentity resolves the developer-user-identifier from :logins to an existing identity, or creates a new one when none matches. That implicit resolve-or-create runs on every token refresh, so a new identity can be minted whenever resolution fails, and the OIDC token's subject (the IdentityId) drifts away from the one that was federated into Azure.

Pass :cognito_identity_id to pin the exact identity established at setup. It is forwarded as the IdentityId argument so Cognito reuses that identity instead of resolving or creating one per refresh:

AwsCognito.get_token(pool_id,
  auth_type: :enhanced,
  logins: %{"your-developer-provider" => client_id},
  cognito_identity_id: "us-east-1:12345678-1234-1234-1234-123456789012"
)