/
Authorization Use Cases
Document toolboxDocument toolbox

Authorization Use Cases

Owned by Jason Andrew
Last updated: Sept 22, 2023

The following use cases expect APIs to be executed in a particular order, managing cognito's view of what state the user is in.

Admin Creates a User

Scneario: The admin role creates a user with a random initial password, then forces the user to update their password.

  1. Admin creates a new user. This sends a random initial password to this user's email.  This will make certain the payload includes a valid email.
    (broker native user API) 
    /up/v5/users 

  2. Once the user checks their email. Cognito should have automatically sent them a random temporary password. The user then signs in with that password.  The response should include a "session" that will be needed in the next step.
    (platform services API) 
    /auth/token/create 

  3. The user specifies a new password, providing the session from the previous call and their new password.
    (platform services API) 
    /auth/user/newPassword 

  4. The user can now sign in normally using the new password.
    /auth/token/create  again)

Alternate Admin Creates a User

Scneario: The admin role creates a user with a random initial password, then forces the user to update their password.  

  1. As before, admin creates new user. Unlike before, the user's email doesn't technically need to be valid, as they don't need to receive the initial random password.
    (broker native user API) 
    /up/v5/users 

  2. Thw admin changes the password on that user.
    (broker native user API) 
    /up/v5/users/changePassword 

  3. The user can now sign in using that updated password.
    (platform services API) 
    /auth/tokenc/create 

Password reset

Scneario: The APIs here are all require a customer JWT to execute. Designing a system by which users can self-serve a password reset will require some additional work.  For example, we might make /up/v5/users/forgotPassword  and /up/v5/users/confirmForgotPassword  unauthenticated.

  1. The admin initiates a password reset email for the user. The user should receive an email from cognito with a reset code.
    (broker native user API) 
    /up/v5/users/forgotPassword 

  2. The user provides that reset code to admin, and admin invokes the confirm forgot password API for the user. This takes the code the user got in their email, and the new password.
    (broker native user API)
    /up/v5/users/confirmForgotPassword 

  3. Afterwards, the user can now sign in using that updated password.
    (platform services API) 
    /auth/tokenc/create 

Related content

APIs in platform.services
APIs in platform.services
ServiceBroker 5
More like this
REST APIs
REST APIs
ServiceMobility 3
More like this