diff --git a/content/en/user-guide/aws/cognito/index.md b/content/en/user-guide/aws/cognito/index.md index d1cc22536d..2069e55c7e 100644 --- a/content/en/user-guide/aws/cognito/index.md +++ b/content/en/user-guide/aws/cognito/index.md @@ -331,6 +331,72 @@ Ensuring this match is crucial for the proper functioning of the authentication {"access_token": "eyJ0eXAi…lKaHx44Q", "expires_in": 86400, "token_type": "Bearer", "refresh_token": "e3f08304", "id_token": "eyJ0eXAi…ADTXv5mA"} ``` +### Client credentials grant + +The client credentials grant is designed for machine-to-machine (M2M) communication. +The Client Credentials Grant allows the machine (client) to authenticate itself directly with the authorization server using its credentials, such as a client ID and client secret. +The client credentials grant allows for scope-based authorization from a non-interactive system to an API. +Your app can directly request client credentials from the token endpoint to receive an access token. + +To request the token from the LocalStack URL, use the following endpoint: `://cognito-idp.localhost.localstack.cloud:4566/_aws/cognito-idp/oauth2/token`. +For additional information on our endpoints, refer to our [Internal Endpoints](https://docs.localstack.cloud/references/internal-endpoints/) documentation. + +If there are multiple user pools, LocalStack identifies the appropriate one by examining the `clientid` of the request. + +To get started, follow the example below: + +```sh +#Create client user pool with a client. +export client_id=$(awslocal cognito-idp create-user-pool-client --user-pool-id $pool_id --client-name test-client --generate-secret | jq -rc ".UserPoolClient.ClientId") + +#Retrieve secret. +export client_secret=$(awslocal cognito-idp describe-user-pool-client --user-pool-id $pool_id --client-id $client_id | jq -r '.UserPoolClient.ClientSecret') + +#Create resource server +awslocal cognito-idp create-resource-server \ + --user-pool-id $pool_id \ + --identifier "api-client-organizations" \ + --name "Resource Server Name" \ + --scopes '[{"ScopeName":"read","ScopeDescription":"Read access to Organizations"}]' + +``` + +You can retrieve the token from your application using the specified endpoint: `http://cognito-idp.localhost.localstack.cloud:4566/_aws/cognito-idp/oauth2/token`. + +```javascript +require('dotenv').config(); +const axios = require('axios'); + +async function getAccessTokenWithSecret() { + const clientId = process.env.client_id; + const clientSecret = process.env.client_secret; + const scope = 'api-client-organizations/read'; + const url = 'http://cognito-idp.localhost.localstack.cloud:4566/_aws/cognito-idp/oauth2/token'; + + const authHeader = Buffer.from(`${clientId}:${clientSecret}`).toString('base64'); + + const headers = { + 'Content-Type': 'application/x-www-form-urlencoded', + 'Authorization': `Basic ${authHeader}` + }; + + const payload = new URLSearchParams({ + grant_type: 'client_credentials', + client_id: clientId, + scope: scope + }); + + try { + const response = await axios.post(url, payload, { headers }); + console.log(response.data); + } catch (error) { + console.error('Error fetching access token:', error.response ? error.response.data : error.message); + } +} + +getAccessTokenWithSecret(); +``` + ## Serverless and Cognito Furthermore, you have the option to combine Cognito and LocalStack seamlessly with the [Serverless framework](https://www.serverless.com/).