AWS API Authentication Service
Authentication
Your 47Lining Enterprise PaaS - Preview Deployment uses AWS Cognito for Authentication and Authorization. The process begins by passing in your credentials and authorization tokens are generated for you to use in all your subsequent requests.
Authenticate
The first step is to generate tokens from Cognito. The Cognito endpoint InitiateAuth takes your user name, client_id and client secret and returns tokens that are used in subsequent steps. Cognito InitiateAuth
The pre-step to authenticating is to generate a SECRET_HASH
value.
echo -n COGNITO_USER_NAMEAPP_CLIENT_ID | openssl dgst -sha256 -hmac APP_CLIENT_SECRET -binary | base64
You should create an aws.json file to use. In this example, it is in a config sub-directory. Ensure the values match your information.
{
"AuthParameters" : {
"USERNAME" : "YourUser",
"PASSWORD" : "YourPassword",
"SECRET_HASH":"Computed Base64 Hash Value"
},
"AuthFlow" : "USER_PASSWORD_AUTH",
"ClientId" : "Cognito ClientId",
"UserPoolId": "Cognito UserPoolId"
}
curl -X POST -H 'X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth' -H 'Content-Type: application/x-amz-json-1.1' \
-d @config/aws.json \
https://cognito-idp.us-east-1.amazonaws.com > initiateAuth-response.json
This will populate the file initiateAuth-response.json with this formation and similar content.
{
"AuthenticationResult": {
"AccessToken": "abcxyz",
"ExpiresIn": 3600,
"IdToken": "defuvw",
"RefreshToken": "ghijkl",
"TokenType": "Bearer"
},
"ChallengeParameters": {}
}
In the subsequent OSDU™ API calls, the AccessToken will be used as the authorization header.
This will set an environment variable that can be used to construct the authorization header required for HTTP requests:
export ACCESS_TOKEN=`cat initiateAuth-response.json |jq '.AuthenticationResult.AccessToken' | sed 's/"//g'`
The script auth.sh
, shown below, can also be used to set the
envrionment variable in a more automated manner if desired.
#!/bin/bash
curl -X POST --data @config/aws.json \
-H 'X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth' \
-H 'Content-Type: application/x-amz-json-1.1' \
https://cognito-idp.us-east-1.amazonaws.com > initiateAuth-response.json
unset ACCESS_TOKEN
export ACCESS_TOKEN=`cat initiateAuth-response.json |jq '.AuthenticationResult.AccessToken' | sed 's/"//g'`
As another option, you can obtain a value for ACCESS_TOKEN
from the
47Lining Preview Deployment Portal. When logged into the Portal,
click on arrow in upper right of screen next to user name and select
"Copy Token". You set this to the environment variable and use in
these scripts.
export ACCESS_TOKEN='<paste-token-here-inside-single-quotes>'
Refesh Authentication Tokens
Once authenticated, tokens typically last for 60 minutes. Once they
expire, they can be refreshed for typically up to 30 days. To obtain
refreshed tokens, you can call the same initiateAuth endpoint,
providing user authentication information including the current
REFRESH_TOKEN
. This refresh.sh script can be called in other script
prior to calling endpoints to make sure the tokens are up to date.
{
"AuthParameters" : {
"USERNAME" : "Your Cognito User Name",
"PASSWORD" : "Your User Password",
"SECRET_HASH": "Computed Base64 Hash Value",
"REFRESH_TOKEN" : "Refresh Token generated during original authentication"
},
"AuthFlow" : "REFRESH_TOKEN_AUTH",
"ClientId" : "Your Cognito ClientId",
"UserPoolId": "Your Cognito UserPoolId"
}
#!/bin/bash
unset REFRESH_TOKEN
export REFRESH_TOKEN=`cat initiateAuth-response.json |jq '.AuthenticationResult.RefreshToken' | sed 's/"//g'`
curl -s -X POST --data @config/aws-refresh.json \
-H 'X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth' \
-H 'Content-Type: application/x-amz-json-1.1' \
https://cognito-idp.us-east-1.amazonaws.com > initiateAuth-refresh.json
unset ACCESS_TOKEN
export ACCESS_TOKEN=`cat initiateAuth-refresh.json |jq '.AuthenticationResult.AccessToken' | sed 's/"//g'`