Passport strategy for authenticating and fetching profile data from AWS Cognito User pools using OAuth2 and the Amazon SDK

$ npm install passport-oauth2-cognito

The Cognito OAuth 2.0 authentication strategy authenticates requests using the OAuth 2.0 framework and retrieves user data from AWS Cognito User Pools. The strategy requires a verify callback, which accepts these credentials and calls done providing a user, as well as options specifying a consumer key, consumer secret, and callback URL.

const passport = require('passport')
const OAuth2CognitoStrategy = require('passport-oauth2-cognito');

const options = {
  callbackURL: 'https://myapp.com/auth/cognito/callback',
  clientDomain: 'https://myapp.auth.us-west-2.amazoncognito.com',
  clientID: '123-456-789',
  clientSecret: 'shhh-its-a-secret',
  region: 'us-west-2'
};

function verify(accessToken, refreshToken, profile, done) {
  User.findOrCreate(profile, (err, user) => {
    done(err, user);
  });
}

passport.use(new OAuth2CognitoStrategy(options, verify));  
passport.serializeUser((user, done) => done(null, user));
passport.deserializeUser((obj, done) => done(null, obj));

Use passport.authenticate(), specifying the 'oauth2-cognito' strategy, to authenticate requests.

For example, as route middleware in an Express application:

app.get('/auth/cognito',
  passport.authenticate('oauth2-cognito')
);
app.get('/auth/cognito/callback',
  passport.authenticate('oauth2-cognito'),
  (req,res) => res.send(req.user)  
);

When you create your App Client, you will need to generate an App Client Secret

Your App client settings will need:

Enabled Identity Providers: Cognito User Pool

Callback URL(s): options.callbackURL

Allowed OAuth Flows: Authorization code grant

Allowed OAuth Scopes: [openid, aws.cognito.signin.user.admin, profile]

You must also configure a Domain name for use as options.clientDomain