AWS Cognito AppClients with Spring Boot Quick Guide

AWS Cognito app clients with Spring Boot

Introduction

AWS Cognito is a powerful tool for managing user authentication and access control. In this blog post, we will walk you through creating and managing AWS Cognito App Clients dynamically using a Spring Boot application. This method is particularly useful for applications that need to manage multiple clients with varying credentials in a seamless way.

1. Initializing Your Spring Boot Project for Dynamic Cognito App Client Management

While AWS Cognito provides robust user authentication and management, manually handling multiple app clients can become tedious and inefficient. Instead, by automating this process with Spring Boot, we can streamline client creation and management. In this guide, we will demonstrate how to automate this process and make it much easier. You will learn to:

Set up your Spring Boot project.
Create the PartnerCredential entity and repository.
Implement a service that interacts with AWS Cognito.
Expose a REST endpoint for creating app clients dynamically.

Let’s dive deeper into each step.

2. Setting Up Your Spring Boot Project

First, we need to set up a Spring Boot application. You can use the Spring Initializr to bootstrap a new project or create it manually.

Dependencies:

Spring Boot Starter Web
Spring Boot Starter Data JPA
AWS SDK for Java
MySQL Connector

Maven Configuration

<dependencies>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-data-jpa</artifactId>
    </dependency>
    <dependency>
        <groupId>com.amazonaws</groupId>
        <artifactId>aws-java-sdk-cognitoidp</artifactId>
        <version>1.12.219</version>
    </dependency>
    <dependency>
        <groupId>mysql</groupId>
        <artifactId>mysql-connector-java</artifactId>
        <version>8.0.32</version>
    </dependency>
</dependencies>

3. Creating the PartnerCredential Entity

The PartnerCredential entity represents the data structure used to store partner credentials in the database.

@Entity
@Table(name = "CREDENTIAL")
public class PartnerCredential {
    @Id
    @GeneratedValue(strategy = GenerationType.IDENTITY)
    private Long pcId;
    @Column(name = "PARTNER_NAME", nullable = false, length = 250)
    private String partnerName;
    @Column(name = "PARTNER_EMAIL", columnDefinition = "TEXT")
    private String partnerEmail;
    @Column(name = "SECRET_KEY", columnDefinition = "TEXT")
    private String secretKey;
    @Column(name = "API_TOKEN", columnDefinition = "TEXT")
    private String apiToken;
    @Column(name = "CREATED_DATE", nullable = false)
    private LocalDateTime createdDate;
    @Column(name = "CREATED_BY", nullable = false, length = 200)
    private String createdBy;
    private LocalDateTime lastUpdatedDate;
    private String lastUpdatedBy;
    // Getters and Setters
}

4. Creating the PartnerCredentialRepository

The repository interface handles database operations for PartnerCredential.

@Repository
public interface PartnerCredentialRepository extends JpaRepository<PartnerCredential, Long> {
}

5. Implementing the Service to Interact with AWS Cognito

The service class is responsible for interacting with AWS Cognito to create app clients dynamically.

@Service
public class PartnerCredentialService {
    private final PartnerCredentialRepository repository;

    public PartnerCredentialService(PartnerCredentialRepository repository) {
        this.repository = repository;
    }

    public PartnerCredential savePartnerCredential(PartnerCredential partnerCredential) {
        partnerCredential.setCreatedDate(LocalDateTime.now());
        partnerCredential.setLastUpdatedDate(LocalDateTime.now());
        CognitoAppClientInfo cognitoAppClientInfo = createCognitoAppClient(partnerCredential.getPartnerName());
        partnerCredential.setApiToken(cognitoAppClientInfo.getClientId());
        partnerCredential.setSecretKey(cognitoAppClientInfo.getClientSecret());
        return repository.save(partnerCredential);
    }

    private CognitoAppClientInfo createCognitoAppClient(String partnerName) {
        AwsBasicCredentials awsCreds = AwsBasicCredentials.create("YOUR_ACCESS_KEY", "YOUR_SECRET_KEY");

        CognitoIdentityProviderClient cognitoClient = CognitoIdentityProviderClient.builder()
                .region(Region.of("us-east-1"))
                .credentialsProvider(StaticCredentialsProvider.create(awsCreds))
                .build();

        try {
            CreateUserPoolClientRequest request = CreateUserPoolClientRequest.builder()
                    .userPoolId("YOUR_USER_POOL_ID")
                    .clientName(partnerName + "_client")
                    .generateSecret(true)
                    .build();

            CreateUserPoolClientResponse response = cognitoClient.createUserPoolClient(request);
            return new CognitoAppClientInfo(response.userPoolClient().clientId(), response.userPoolClient().clientSecret());
        } catch (CognitoIdentityProviderException e) {
            throw new RuntimeException("Error creating Cognito App Client: " + e.awsErrorDetails().errorMessage());
        } finally {
            cognitoClient.close();
        }
    }
}

6. Exposing a REST Endpoint

The controller exposes an endpoint to create new PartnerCredential entries.

@RestController
@RequestMapping("/v2/api")
public class PartnerCredentialController {
    private final PartnerCredentialService service;

    public PartnerCredentialController(PartnerCredentialService service) {
        this.service = service;
    }

    @PostMapping("/partner-credentials")
    public ResponseEntity createPartnerCredential(@Valid @RequestBody PartnerCredential partnerCredential) {
        PartnerCredential savedPartnerCredential = service.savePartnerCredential(partnerCredential);
        return new ResponseEntity<>(savedPartnerCredential, HttpStatus.CREATED);
    }
}

Conclusion

By following these steps, you’ve set up a Spring Boot application to manage AWS Cognito app clients dynamically. This approach simplifies the process of creating and managing credentials, making it easier to handle multiple clients with varying requirements.

Feel free to adjust and extend this example to fit your specific needs.