com.amazonaws.auth

Class CognitoCredentialsProvider

java.lang.Object

com.amazonaws.auth.CognitoCredentialsProvider

All Implemented Interfaces:

AWSCredentialsProvider

Direct Known Subclasses:

CognitoCachingCredentialsProvider

public class CognitoCredentialsProvider
extends java.lang.Object
implements AWSCredentialsProvider

AWSCredentialsProvider implementation that uses the Amazon Cognito Identity service and AWS Security Token Service to create temporary, short-lived sessions to use for authentication

Field Summary

Fields

Modifier and Type	Field and Description
static int	DEFAULT_DURATION_SECONDS Default duration for started sessions
static int	DEFAULT_THRESHOLD_SECONDS Default threshold for refreshing session credentials

Constructor Summary

Constructors

Constructor and Description
CognitoCredentialsProvider(AWSCognitoIdentityProvider provider, com.amazonaws.services.cognitoidentity.AmazonCognitoIdentityClient cibClient) Constructs a new CognitoCredentialsProvider, which will set up a link to the provider passed in using the enhanced authentication flow to get short-lived credentials from Amazon Cognito, which can be retrieved from getCredentials()
CognitoCredentialsProvider(AWSCognitoIdentityProvider provider, Regions region) Constructs a new CognitoCredentialsProvider, which will set up a link to the provider passed in using the enhanced authentication flow to get short-lived credentials from Amazon Cognito, which can be retrieved from getCredentials()
CognitoCredentialsProvider(AWSCognitoIdentityProvider provider, Regions region, ClientConfiguration clientConfiguration) Constructs a new CognitoCredentialsProvider, which will set up a link to the provider passed in using the enhanced authentication flow to get short-lived credentials from Amazon Cognito, which can be retrieved from getCredentials()
CognitoCredentialsProvider(AWSCognitoIdentityProvider provider, java.lang.String unauthArn, java.lang.String authArn) Constructs a new CognitoCredentialsProvider, which will set up a link to the provider passed in using the basic authentication flow to get get short-lived credentials from STS, which can be retrieved from getCredentials()
CognitoCredentialsProvider(AWSCognitoIdentityProvider provider, java.lang.String unauthArn, java.lang.String authArn, com.amazonaws.services.securitytoken.AWSSecurityTokenService stsClient) Constructs a new CognitoCredentialsProvider, which will set up a link to the provider passed in to use the basic authentication flow to get short-lived credentials from STS, which can be retrieved from getCredentials()
CognitoCredentialsProvider(AWSConfiguration awsConfiguration) Constructs a new CognitoCredentialsProvider, which will use the specified Amazon Cognito identity pool to make a request to Cognito, using the enhanced flow, to get short lived session credentials, which will then be returned by this class's getCredentials() method.
CognitoCredentialsProvider(java.lang.String identityPoolId, Regions region) Constructs a new CognitoCredentialsProvider, which will use the specified Amazon Cognito identity pool to make a request to Cognito, using the enhanced flow, to get short lived session credentials, which will then be returned by this class's getCredentials() method.
CognitoCredentialsProvider(java.lang.String identityPoolId, Regions region, ClientConfiguration clientConfiguration) Constructs a new CognitoCredentialsProvider, which will use the specified Amazon Cognito identity pool to make a request to Cognito, using the enhanced flow, to get short lived session credentials, which will then be returned by this class's getCredentials() method.
CognitoCredentialsProvider(java.lang.String accountId, java.lang.String identityPoolId, java.lang.String unauthRoleArn, java.lang.String authRoleArn, com.amazonaws.services.cognitoidentity.AmazonCognitoIdentityClient cibClient, com.amazonaws.services.securitytoken.AWSSecurityTokenService stsClient) Constructs a new CognitoCredentialsProvider, which will use the specified Amazon Cognito identity pool to make a request to the AWS Security Token Service (STS) to get short-lived session credentials, which will then be returned by this class's getCredentials() method.
CognitoCredentialsProvider(java.lang.String accountId, java.lang.String identityPoolId, java.lang.String unauthRoleArn, java.lang.String authRoleArn, Regions region) Constructs a new CognitoCredentialsProvider, which will use the specified Amazon Cognito identity pool to make a request, using the basic authentication flow, to the AWS Security Token Service (STS) to request short-lived session credentials, which will then be returned by this class's getCredentials() method.
CognitoCredentialsProvider(java.lang.String accountId, java.lang.String identityPoolId, java.lang.String unauthRoleArn, java.lang.String authRoleArn, Regions region, ClientConfiguration clientConfiguration) Constructs a new CognitoCredentialsProvider, which will use the specified Amazon Cognito identity pool to make a request, using the basic authentication flow, to the AWS Security Token Service (STS) to request short-lived session credentials, which will then be returned by this class's getCredentials() method.

Method Summary

Modifier and Type	Method and Description
void	clear() Clear all in-memory and saved state for the credentials provider.
void	clearCredentials() Clear credentials.
AWSSessionCredentials	getCredentials() If the current session has expired/credentials are invalid, a new session is started, establishing the credentials.
java.lang.String	getCustomRoleArn() Get the custom role arn associated with the credentials provider.
java.lang.String	getIdentityId()
java.lang.String	getIdentityPoolId()
AWSIdentityProvider	getIdentityProvider()
java.util.Map<java.lang.String,java.lang.String>	getLogins() Get the logins map used to authenticated with Amazon Cognito
int	getRefreshThreshold() Get the refresh threshold for the session credentials created by this client in seconds.
java.util.Date	getSessionCredentialsExpiration()
java.util.Date	getSessionCredentitalsExpiration() Deprecated. Use getSessionCredentialsExpiration() instead.
int	getSessionDuration() Get the duration of the session credentials created by this client in seconds.
java.lang.String	getToken()
void	refresh() Forces this credentials provider to refresh its credentials.
void	registerIdentityChangedListener(IdentityChangedListener listener) Adds a new identity changed listener to process some event when the identity has changed.
void	setCustomRoleArn(java.lang.String customRoleArn) Set the custom role arn that will be used to get credentials with Amazon Cognito.
void	setLogins(java.util.Map<java.lang.String,java.lang.String> logins) Set the logins map used to authenticated with Amazon Cognito.
void	setRefreshThreshold(int refreshThreshold) Set the refresh threshold for the session credentials created by this client in seconds.
void	setSessionCredentialsExpiration(java.util.Date expiration)
void	setSessionDuration(int sessionDuration) Set the duration of the session credentials created by this client in seconds.
void	unregisterIdentityChangedListener(IdentityChangedListener listener) Removes an identity changed listener from being triggered when the identity has changed.
AWSCredentialsProvider	withLogins(java.util.Map<java.lang.String,java.lang.String> logins) Set the logins map used to authenticated with Amazon Cognito.
CognitoCredentialsProvider	withRefreshThreshold(int refreshThreshold) Set the refresh threshold for the session credentials created by this client in seconds.
CognitoCredentialsProvider	withSessionDuration(int sessionDuration) Set the duration of the session credentials created by this client in seconds.

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DEFAULT_DURATION_SECONDS

public static final int DEFAULT_DURATION_SECONDS

Default duration for started sessions

See Also:

Constant Field Values

DEFAULT_THRESHOLD_SECONDS

public static final int DEFAULT_THRESHOLD_SECONDS

Default threshold for refreshing session credentials

See Also:

Constant Field Values

Constructor Detail

CognitoCredentialsProvider

public CognitoCredentialsProvider(java.lang.String accountId,
                                  java.lang.String identityPoolId,
                                  java.lang.String unauthRoleArn,
                                  java.lang.String authRoleArn,
                                  Regions region)

Constructs a new CognitoCredentialsProvider, which will use the specified Amazon Cognito identity pool to make a request, using the basic authentication flow, to the AWS Security Token Service (STS) to request short-lived session credentials, which will then be returned by this class's getCredentials() method.

Parameters:

accountId - The AWS accountId for the account with Amazon Cognito

identityPoolId - The Amazon Cogntio identity pool to use

unauthRoleArn - The ARN of the IAM Role that will be assumed when unauthenticated

authRoleArn - The ARN of the IAM Role that will be assumed when authenticated

region - The region to use when contacting Cognito Identity

CognitoCredentialsProvider

public CognitoCredentialsProvider(java.lang.String accountId,
                                  java.lang.String identityPoolId,
                                  java.lang.String unauthRoleArn,
                                  java.lang.String authRoleArn,
                                  Regions region,
                                  ClientConfiguration clientConfiguration)

Constructs a new CognitoCredentialsProvider, which will use the specified Amazon Cognito identity pool to make a request, using the basic authentication flow, to the AWS Security Token Service (STS) to request short-lived session credentials, which will then be returned by this class's getCredentials() method.

This version of the constructor allows you to specify a client configuration for the Amazon Cognito and STS clients.

Parameters:

accountId - The AWS accountId for the account with Amazon Cognito

identityPoolId - The Amazon Cognito identity pool to use

unauthRoleArn - The ARN of the IAM Role that will be assumed when unauthenticated

authRoleArn - The ARN of the IAM Role that will be assumed when authenticated

region - The region to use when contacting Cognito Identity

clientConfiguration - Configuration to apply to service clients created

CognitoCredentialsProvider

public CognitoCredentialsProvider(AWSConfiguration awsConfiguration)

Constructs a new CognitoCredentialsProvider, which will use the specified Amazon Cognito identity pool to make a request to Cognito, using the enhanced flow, to get short lived session credentials, which will then be returned by this class's getCredentials() method. Example json file: { "CredentialsProvider": { "CognitoIdentity": { "Default": { "PoolId": "us-east-1:example-pool-id1234", "Region": "us-east-1" } } } }

Parameters:

awsConfiguration - The configuration holding you identity pool id and the region to use when contacting Cognito Identity

CognitoCredentialsProvider

public CognitoCredentialsProvider(java.lang.String identityPoolId,
                                  Regions region)

Constructs a new CognitoCredentialsProvider, which will use the specified Amazon Cognito identity pool to make a request to Cognito, using the enhanced flow, to get short lived session credentials, which will then be returned by this class's getCredentials() method.

Parameters:

identityPoolId - The Amazon Cognito identity pool to use

region - The region to use when contacting Cognito Identity

CognitoCredentialsProvider

public CognitoCredentialsProvider(java.lang.String identityPoolId,
                                  Regions region,
                                  ClientConfiguration clientConfiguration)

Constructs a new CognitoCredentialsProvider, which will use the specified Amazon Cognito identity pool to make a request to Cognito, using the enhanced flow, to get short lived session credentials, which will then be returned by this class's getCredentials() method.

This version of the constructor allows you to specify a client configuration for the Amazon Cognito client.

Parameters:

identityPoolId - The Amazon Cognito identity pool to use

region - The region to use when contacting Cognito Identity

clientConfiguration - Configuration to apply to service clients created

CognitoCredentialsProvider

public CognitoCredentialsProvider(java.lang.String accountId,
                                  java.lang.String identityPoolId,
                                  java.lang.String unauthRoleArn,
                                  java.lang.String authRoleArn,
                                  com.amazonaws.services.cognitoidentity.AmazonCognitoIdentityClient cibClient,
                                  com.amazonaws.services.securitytoken.AWSSecurityTokenService stsClient)

Constructs a new CognitoCredentialsProvider, which will use the specified Amazon Cognito identity pool to make a request to the AWS Security Token Service (STS) to get short-lived session credentials, which will then be returned by this class's getCredentials() method.

This version of the constructor allows you to specify the Amazon Cognito and STS client to use.

Set the roles and stsClient to null to use the enhanced authentication flow, not contacting STS. Otherwise the basic flow will be used.

Parameters:

accountId - The AWS accountId for the account with Amazon Cognito

identityPoolId - The Amazon Cogntio identity pool to use

unauthRoleArn - The ARN of the IAM Role that will be assumed when unauthenticated

authRoleArn - The ARN of the IAM Role that will be assumed when authenticated

cibClient - Preconfigured CognitoIdentity client to make requests with

stsClient - Preconfigured STS client to make requests with

CognitoCredentialsProvider

public CognitoCredentialsProvider(AWSCognitoIdentityProvider provider,
                                  java.lang.String unauthArn,
                                  java.lang.String authArn)

Constructs a new CognitoCredentialsProvider, which will set up a link to the provider passed in using the basic authentication flow to get get short-lived credentials from STS, which can be retrieved from getCredentials()

This version of the constructor allows you to specify your own Identity Provider class.

Parameters:

provider - a reference to the provider in question, including what's needed to interact with it to later connect with STS

unauthArn - the unauthArn, for use with the STS call

authArn - the authArn, for use with the STS call

CognitoCredentialsProvider

public CognitoCredentialsProvider(AWSCognitoIdentityProvider provider,
                                  java.lang.String unauthArn,
                                  java.lang.String authArn,
                                  com.amazonaws.services.securitytoken.AWSSecurityTokenService stsClient)

Constructs a new CognitoCredentialsProvider, which will set up a link to the provider passed in to use the basic authentication flow to get short-lived credentials from STS, which can be retrieved from getCredentials()

This version of the constructor allows you to specify your own Identity Provider class, and the STS client to use.

Parameters:

provider - a reference to the provider in question, including what's needed to interact with it to later connect with STS

unauthArn - the unauthArn, for use with the STS call

authArn - the authArn, for use with the STS call

stsClient - the sts endpoint to get session credentials from

CognitoCredentialsProvider

public CognitoCredentialsProvider(AWSCognitoIdentityProvider provider,
                                  Regions region)

Constructs a new CognitoCredentialsProvider, which will set up a link to the provider passed in using the enhanced authentication flow to get short-lived credentials from Amazon Cognito, which can be retrieved from getCredentials()

This version of the constructor allows you to specify your own Identity Provider class.

Parameters:

provider - a reference to the provider in question, including what's needed to interact with it to later connect with Amazon Cognito

region - The region to use when contacting Cognito

CognitoCredentialsProvider

public CognitoCredentialsProvider(AWSCognitoIdentityProvider provider,
                                  Regions region,
                                  ClientConfiguration clientConfiguration)

Constructs a new CognitoCredentialsProvider, which will set up a link to the provider passed in using the enhanced authentication flow to get short-lived credentials from Amazon Cognito, which can be retrieved from getCredentials()

This version of the constructor allows you to specify your own Identity Provider class and the configuration for the Amazon Cognito client.

Parameters:

provider - a reference to the provider in question, including what's needed to interact with it to later connect with Amazon Cognito

clientConfiguration - Configuration to apply to service clients created

region - The region to use when contacting Cognito Identity

CognitoCredentialsProvider

public CognitoCredentialsProvider(AWSCognitoIdentityProvider provider,
                                  com.amazonaws.services.cognitoidentity.AmazonCognitoIdentityClient cibClient)

Constructs a new CognitoCredentialsProvider, which will set up a link to the provider passed in using the enhanced authentication flow to get short-lived credentials from Amazon Cognito, which can be retrieved from getCredentials()

This version of the constructor allows you to specify your own Identity Provider class and the Amazon Cognito client.

Parameters:

provider - a reference to the provider in question, including what's needed to interact with it to later connect with Amazon Cognito

cibClient - Preconfigured CognitoIdentity client to make requests with

Method Detail

getIdentityId

public java.lang.String getIdentityId()

getToken

public java.lang.String getToken()

getIdentityProvider

public AWSIdentityProvider getIdentityProvider()

setSessionCredentialsExpiration

public void setSessionCredentialsExpiration(java.util.Date expiration)

getSessionCredentialsExpiration

public java.util.Date getSessionCredentialsExpiration()

getSessionCredentitalsExpiration

@Deprecated
public java.util.Date getSessionCredentitalsExpiration()

Deprecated. Use getSessionCredentialsExpiration() instead.

getIdentityPoolId

public java.lang.String getIdentityPoolId()

getCredentials

public AWSSessionCredentials getCredentials()

If the current session has expired/credentials are invalid, a new session is started, establishing the credentials. In either case, those credentials are returned

Specified by:

getCredentials in interface AWSCredentialsProvider

Returns:

AWSCredentials which the caller can use to authorize an AWS request.

setSessionDuration

public void setSessionDuration(int sessionDuration)

Set the duration of the session credentials created by this client in seconds. Values must be supported by AssumeRoleWithWebIdentityRequest.

Parameters:

sessionDuration - The new duration for session credentials created by this provider

See Also:

AssumeRoleWithWebIdentityRequest

withSessionDuration

public CognitoCredentialsProvider withSessionDuration(int sessionDuration)

Set the duration of the session credentials created by this client in seconds. Values must be supported by AssumeRoleWithWebIdentityRequest. Returns reference to object so methods can be chained together.

Parameters:

sessionDuration - The new duration for session credentials created by this provider

Returns:

A reference to this updated object so that method calls can be chained together.

See Also:

AssumeRoleWithWebIdentityRequest

getSessionDuration

public int getSessionDuration()

Get the duration of the session credentials created by this client in seconds. Values must be supported by AssumeRoleWithWebIdentityRequest.

Returns:

The duration for session credentials created by this provider

See Also:

AssumeRoleWithWebIdentityRequest

setRefreshThreshold

public void setRefreshThreshold(int refreshThreshold)

Set the refresh threshold for the session credentials created by this client in seconds. This value will be used internally to determine if new credentials should be fetched from STS.

Parameters:

refreshThreshold - The new refresh threshold for session credentials created by this provider

See Also:

AssumeRoleWithWebIdentityRequest

withRefreshThreshold

public CognitoCredentialsProvider withRefreshThreshold(int refreshThreshold)

Set the refresh threshold for the session credentials created by this client in seconds. This value will be used internally to determine if new credentials should be fetched from STS. Returns a reference to the object so methods can be chained.

Parameters:

refreshThreshold - The new refresh threshold for session credentials created by this provider

Returns:

A reference to this updated object so that method calls can be chained together.

See Also:

AssumeRoleWithWebIdentityRequest

getRefreshThreshold

public int getRefreshThreshold()

Get the refresh threshold for the session credentials created by this client in seconds. This value will be used internally to determine if new credentials should be fetched from STS.

Returns:

The refresh threshold for session credentials created by this provider

See Also:

AssumeRoleWithWebIdentityRequest

setLogins

public void setLogins(java.util.Map<java.lang.String,java.lang.String> logins)

Set the logins map used to authenticated with Amazon Cognito. Note: You should manually call refresh on on the credentials provider after adding logins to the provider as your Identity Id may have changed.

Parameters:

logins - The new logins map (providerName, providerToken) to use to communicate with Amazon Cognito

getCustomRoleArn

public java.lang.String getCustomRoleArn()

Get the custom role arn associated with the credentials provider.

Returns:

Custom role arn.

setCustomRoleArn

public void setCustomRoleArn(java.lang.String customRoleArn)

Set the custom role arn that will be used to get credentials with Amazon Cognito. This parameter needs to be set when idp provides roles in the token (eg: SAML Assertion) and there are multiple roles. Roles set by the method will be assumed when it matches with the roles received in the token from IdP.

Parameters:

customRoleArn - The role arn to be used to get the credentials.

withLogins

public AWSCredentialsProvider withLogins(java.util.Map<java.lang.String,java.lang.String> logins)

Set the logins map used to authenticated with Amazon Cognito. Returns a reference to the object so methods can be chained. Note: You should manually call refresh on on the credentials provider after adding logins to the provider as your Identity Id may have changed.

Parameters:

logins - The new logins map (providerName, providerToken) to use to communicate with Amazon Cognito

Returns:

A reference to this updated object so that method calls can be chained together.

See Also:

AssumeRoleWithWebIdentityRequest

getLogins

public java.util.Map<java.lang.String,java.lang.String> getLogins()

Get the logins map used to authenticated with Amazon Cognito

Returns:

The logins map (providerName, providerToken) to use to communicate with Amazon Cognito

refresh

public void refresh()

Description copied from interface: AWSCredentialsProvider

Forces this credentials provider to refresh its credentials. For many implementations of credentials provider, this method may simply be a no-op, such as any credentials provider implementation that vends static/non-changing credentials. For other implementations that vend different credentials through out their lifetime, this method should force the credentials provider to refresh its credentials.

Specified by:

refresh in interface AWSCredentialsProvider

clear

public void clear()

Clear all in-memory and saved state for the credentials provider. Will destroy any saved Amazon Cognito Identity Id and associated AWS credentials.

clearCredentials

public void clearCredentials()

Clear credentials. This will destroy all the saved AWS credentials but not the identity Id.

registerIdentityChangedListener

public void registerIdentityChangedListener(IdentityChangedListener listener)

Adds a new identity changed listener to process some event when the identity has changed.

Parameters:

listener - the listener to be triggered on id change

unregisterIdentityChangedListener

public void unregisterIdentityChangedListener(IdentityChangedListener listener)

Removes an identity changed listener from being triggered when the identity has changed.

Parameters:

listener - the listener to be removed