AWS Cognito Integration

[cjmyles]

It would be great if there was some instructions on how to set up AWS Cognito to work correctly with this library, as I currently cannot get the authentication to work with my Nest app. I am making a few assumptions and would appreciate any advice on what I am doing wrong. I am using Nest to create a Rest API.

I have created a new user pool in AWS Cognito, and I have created a new app within this user pool. I have then copied the user pool id and client pool ids to the env file which are then being referenced in the auth instantiation (as per the instructions).

I have a controller which I can confirm returns a response. I then wrap the controller with the @Authentication decorator and have confirmed that the response is now protected.

I am using Postman to generate an access token. This relies on my app having a hosted ui with the relevant Postman callback URLs registered. I then pass the access token in the request header as a bearer token. However, I receive the following response:

{
  "message": "Authentication failed.",
  "statusCode": 401
}

I can put together a sample app if it's easier, but I thought there might be something obvious I am doing wrong?

[Lokicoule]

The Wiki provides a basic way to configure AWS Cognito for testing the library. You can use it as a reference, but keep in mind that it's the simplest configuration and shouldn't be used in production.

Could you share your configuration for the Advanced app client settings? A misconfigured authentication flow might be causing the issue.

Additionally, when passing the bearer token, are you following the convention and including it in the headers as Authorization: Bearer ${token}?

[cjmyles]

Thanks for the link! I've created this repo to provide a better example of the code I'm using. I've followed your instructions to create the user pool and the app, but now without a hosted UI I can't seem to generate an access token.

Separetly, in my original app client I noticed that I'm using the default authentication flows variables of ALLOW_REFRESH_TOKEN_AUTH and ALLOW_USER_SRP_AUTH rather than ALLOW_REFRESH_TOKEN_AUTH and ALLOW_USER_PASSWORD_AUTH that you have. I've updated mine to be the same but it still doesn't work.

This is what the headers look like:

Hope that helps?

[Lokicoule]

Thank you for the repo, there is nothing wrong, it's working fine when passing the access token.

The issue is located inside your AWS Cognito configuration.

[cjmyles]

Thanks @Lokicoule. I think I found the issue - when I configure the CognitoAuthModule in my app.module.ts file, I have the tokenUse value set to id, however when I'm passing the bearer token I'm passing the access token not the id token. If I pass the id token this works fine.

However, this assumes that I can genereate an id token outside the implementation of this library. At the moment, I do that via the Postman OAuth2 Authorisation which uses a Hosted UI with a custom domain configured within my User Pool. My question is, does the nestjs-cognito library support authentication and authorization (via Cognito) or does it simply exist to validate tokens and grant access to resources with the assumption that the token is generated elsewhere?

What I want to do is build an API using NestJS and your Cognito library to authenticate a user (via email and password) then grant access to resources. Otherwise I'd have to use something like the @aws-sdk/client-cognito-identity-provider to authenticate the user (this guide explains it well) and [nestjs-cognito](https://github.com/Lokicoule/nestjs-cognito) to protect the resources. However, this requires me configuring 2 separate libraries to use the same User Pool which seems like a duplication of effort.