Cognito federated identity pools provide several different adaptors like saml and oauth.
https://docs.aws.amazon.com/cognito/latest/developerguide/external-identity-providers.html
It also appears the php api is similar to the JavaScript one providing signing capabilities.
https://docs.aws.amazon.com/aws-sdk-php/v3/api/class-Aws.Signature.SignatureV4.html#_signRequest
Something like this would need to be converted to use php and the php sdk v3 instead of the JavaScript sdk v3.
interface CreateSignHttpRequestParams {
body?: string;
headers?: Record<string, string>;
hostname: string;
method?: string;
path?: string;
port?: number;
protocol?: string;
query?: Record<string, string>;
service: string;
cognitoSettings: CognitoSettings,
authFacade: AuthFacade
}
const createS3SignedHttpRequest = ({
body,
headers,
hostname,
method = "GET",
path = "/",
port = 443,
protocol = "https:",
query,
service,
cognitoSettings,
authFacade
}: CreateSignHttpRequestParams): Observable<HttpRequest> => of(
new HttpRequest({
body,
headers,
hostname,
method,
path,
port,
protocol,
query,
}
)).pipe(
tap(() => console.log('.marker({ event: BEGIN , context: s3, entity: sig , op: signv4 , meta: { } })')),
switchMap(req => from(
(new SignatureV4(
{
credentials: fromCognitoIdentityPool({
client: new CognitoIdentityClient({ region: cognitoSettings.region }),
identityPoolId: cognitoSettings.identityPoolId,
logins: {
[`cognito-idp.${cognitoSettings.region}.amazonaws.com/${cognitoSettings.userPoolId}`]: () => firstValueFrom(authFacade.getUser$.pipe(map(u => u ? u.id_token : undefined)))
}
}),
region: cognitoSettings.region,
service,
sha256: Sha256,
}
)).sign(req)
.then(
signedReq => {
console.log('.marker({ event: RESOLVED, entity: s3 , op: signv4 , meta: { } })');
return signedReq;
}
)
).pipe(
tap(() => console.log('.marker({ /s3/sign/after/sig })')),
take(1)
)),
map(req => req as HttpRequest),
tap(() => console.log('.marker({ event: END , context: s3, entity: sig , op: signv4 , meta: { } })')),
);
This line creates temporary federated identity pool credentials that are then used to sign the request. The logins literal contains the current users auth token which is exchanged for temp credentials to the identity pool.
fromCognitoIdentityPool({
client: new CognitoIdentityClient({ region: cognitoSettings.region }),
identityPoolId: cognitoSettings.identityPoolId,
logins: {
[`cognito-idp.${cognitoSettings.region}.amazonaws.com/${cognitoSettings.userPoolId}`]: () => firstValueFrom(authFacade.getUser$.pipe(map(u => u ? u.id_token : undefined)))
}
}),
region: cognitoSettings.region,
service,
sha256: Sha256,
}
The same thing can be achieved in php because the end result it merely a signed http request that is dispatched to the aws rest api. That can be done using url or whatever other php lib for http request being used.