This is almost a direct port of capless/warrant
All crypto functions are tested against equivalent values produced by warrant
- v2 - Removed dependency on
aws-sdk-go-v2 - v3 - Migrate to
map[string]*stringtypes for better compatability withaws-sdk-go-v2 - v4 - Migrate back to
map[string]stringtypes asaws-sdk-go-v2reverted their API changes
package main
import (
"context"
"fmt"
"time"
cognitosrp "github.com/alexrudd/cognito-srp/v4"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/config"
cip "github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider/types"
)
func main() {
// configure cognito srp
csrp, _ := cognitosrp.NewCognitoSRP("user", "pa55w0rd", "eu-west-1_myPoolId", "client", nil)
// configure cognito identity provider
cfg, _ := config.LoadDefaultConfig(
config.WithRegion("eu-west-1"),
config.WithCredentialsProvider(aws.AnonymousCredentials{}),
)
svc := cip.NewFromConfig(cfg)
// initiate auth
resp, err := svc.InitiateAuth(context.Background(), &cip.InitiateAuthInput{
AuthFlow: types.AuthFlowTypeUserSrpAuth,
ClientId: aws.String(csrp.GetClientId()),
AuthParameters: csrp.GetAuthParams(),
})
if err != nil {
panic(err)
}
// respond to password verifier challenge
if resp.ChallengeName == types.ChallengeNameTypePasswordVerifier {
challengeResponses, _ := csrp.PasswordVerifierChallenge(resp.ChallengeParameters, time.Now())
resp, err := svc.RespondToAuthChallenge(context.Background(), &cip.RespondToAuthChallengeInput{
ChallengeName: types.ChallengeNameTypePasswordVerifier,
ChallengeResponses: challengeResponses,
ClientId: aws.String(csrp.GetClientId()),
})
if err != nil {
panic(err)
}
// print the tokens
fmt.Printf("Access Token: %s\n", *resp.AuthenticationResult.AccessToken)
fmt.Printf("ID Token: %s\n", *resp.AuthenticationResult.IdToken)
fmt.Printf("Refresh Token: %s\n", *resp.AuthenticationResult.RefreshToken)
} else {
// other challenges await...
}
}