Spring boot Authentication server using AWS cognito

In this story, we’ll implement an authentication microservice using Amazon Cognito.

Photo by Meritt Thomas on Unsplash

Our microservice offers REST resources (signUp, signIn, forgotPassword, signOut) which allow full control over all aspects of the user’s authentication flow.

What Is Amazon Cognito?

Amazon Cognito provides authentication, authorization, and user management for your web and mobile apps. Your users can sign in directly with a user name and password, or through a third party such as Facebook, Amazon, Google or Apple.

The two main components of Amazon Cognito are user pools and identity pools. User pools are user directories that provide sign-up and sign-in options for your app users. Identity pools enable you to grant your users access to other AWS services. You can use identity pools and user pools separately or together.


Amazon Cognito Setup

Step 1: Creating a User Pool

  1. Login to the AWS Management Console and open the AWS Cognito console at https://console.aws.amazon.com/cognito.
  2. Choose Manage User Pools.

4. On the User Pools page, choose Create a user pool.

5. Enter a name for your user pool and choose Review defaults to save the user pool name

Step 2: Configuring a User Pool App Client

This step consist to create an application client that will be used by our spring boot microservice app. It is required to allow people to authenticate using users created in the user pool. Full documentation.

  1. Select your previously created user group
  2. On the navigation bar on the left-side of the page, choose App clients under General settings.
  3. Choose Add an app client.
  4. Enter your app name.

Step 3: Adding Groups

For this demo, we have created two default groups.

Spring Boot App Setup

We will start by creating a simple Spring Boot project from start.spring.io, with the following dependencies: Web and Lombok.

To implement the integration with aws, we need to add the AWS SDK dependency in the pom.xml file.

<!-- AWS Java SDK Cognito -->

The second important step is to add the aws credentials to the properties file.

# AWS properties
region: us-east-2
user-pool-id: us-east-2_XXXXXXXXXX

In production mode, you can use AWS Key Management Service to store all credentials.

Project architecture

Create a cognito configuration class

We need to create a bean method returning AWSCognitoIdentityProvider interface for accessing Amazon Cognito Identity Provider.

Sign Up Implementation

The signup code contain three step.
1- Create user with temporary password
2- Add the groups role to user
3- Sets the specified user’s password in a user pool

Test the REST APIs:

Test with postman

The result on AWS console

Sign In Implementation

Now the user created can authenticate with his login informations. Our microservice returns the access token and refresh token.

login endpoint

Access and Id Tokens are short-lived (60 minutes by default but can be set from 5 minutes to 1 day).

Sign out Implementation

Signs out users from all devices. It also invalidates all refresh tokens issued to a user. The user’s current access and Id tokens remain valid until their expiry. Access and Id tokens expire one hour after they are issued.

logout endpoint

Now we are done creating our authentication microservice. It contains other methods such as:

  • Change Password
  • Forgot password
  • Get user
  • Lists a history of user activity
  • Sets the user’s multi-factor authentication (MFA) preference.

This is a good alternative if you need to do pre and post processing when interacting with AWS cognito.

The complete source code can be found in my GitHub repository.

Software Engineer