Get AWS Cognito Token ID (JWT) with JavaScript (NodeJS)

handler.js

const AWS = require('aws-sdk');
const CognitoSDK = require('amazon-cognito-identity-js-node');
AWS.CognitoIdentityServiceProvider.AuthenticationDetails = CognitoSDK.AuthenticationDetails;
AWS.CognitoIdentityServiceProvider.CognitoUserPool = CognitoSDK.CognitoUserPool;
AWS.CognitoIdentityServiceProvider.CognitoUser = CognitoSDK.CognitoUser;

const Username = 'testuser';
const TempPassword = 'TemporaryPassword2!';
const NewPassword = 'NewPassword@#@!19';
const Email = '[email protected]';
const config = { region: 'us-east-1' };
const UserPoolId = 'USER_POOL_ID_HERE';
const ClientId = 'APP_CLIENT_ID_HERE'; // Your App client id (add via Console->Cognito User Pool)

const cognitoIdentityServiceProvider =
  new AWS.CognitoIdentityServiceProvider(config);


const saveOrUpdateUser = (profile) => {
  
  //User Pool
  const poolData = {
    UserPoolId : UserPoolId,
    ClientId : ClientId // Your App client id here
  };
  const userPool = new AWS.CognitoIdentityServiceProvider.CognitoUserPool(poolData);
  
  //User
  const userParams = {
    Pool: userPool,
    Username: Username,
  };
  var cognitoUser = new AWS.CognitoIdentityServiceProvider.CognitoUser(userParams);

  //Authentication
  const authenticationData = {
    Username: Username,
    Password: NewPassword, //1st time use TempPassword
  }
  const authenticationDetails = new AWS.CognitoIdentityServiceProvider.AuthenticationDetails(authenticationData);
  var responseFunctions = {
    onSuccess: (result) => {
      console.log('IT WORKED!');
      console.log(result);
    },
    onFailure: (err) => {
      console.log('no go :(');
      console.log(err);
    }
  };

  //newPasswordRequired has to be added separately because it sends responseFunctions to completeNewPasswordChallenge
  responseFunctions.newPasswordRequired = (userAttributes, requiredAttributes) => {
    delete userAttributes.email_verified;
    cognitoUser.completeNewPasswordChallenge(NewPassword, {email: Email}, responseFunctions)
  };
  cognitoUser.authenticateUser(authenticationDetails, responseFunctions);
};

saveOrUpdateUser();

package.json

{
  "name": "test-app",
  "description": "test app",
  "version": "0.0.1",
  "engines": {
    "node": ">=6.3.1"
  },
  "devDependencies": {
    "amazon-cognito-identity-js-node": "0.0.3",
    "aws-sdk": "^2.5.3"
  }
}

server.yml (partial)

    events:
      - http:
          path: restricted
          method: get
          cors: true
          integration: lambda
          authorizer:
            arn: arn:aws:cognito-idp:AWS_REGION:AWS_ACCOUNT_ID:userpool/AWS_USERPOOL_ID
            resultTtlInSeconds: 0
            claims:
              - email
            identitySource: method.request.header.Authorization
            identityValidationExpression: .*

Pay close attention to the claims: under server.yml, there's a bug when there are multiple claims ! (reported here: serverless/serverless#3088)

This gist is great - thank you! For anyone who is trying to run this as a script locally, for programmatic access to an access token for database testing, etc - add the following line somewhere near the top of your index.js (assuming you aren't running it as a lambda function):

global.navigator = () => null;