Cognito User Pool Auth Endpoints

• Authorization endpoint
  • used to sign the user in.
  • POST /oauth2/token
• Login endpoint
  • The backend server redirects the user's browser to this endpoint and does not make the request itself.
  • GET /login
• Token endpoint
  • Can be used to retrieve the various user tokens, by providing the code retrieved from the SSO when the user hit the login endpoint. In this case grant_type is set to code.
  • Also used with a provided refresh token in order to retrieve a fresh access token, in which case, need to specify grant_type as refresh_token.
  • The backend of the client (PHP server) makes the request to this endpoint directly (e.g. a Guzzle request) and not through a browser (e.g. not a user redirect).
  • POST /oauth2/token
• User info endpoint
  • Used to retrieve information about the user through the use of their tokens which were retrieved through using the token endpoint.
  • The backend of the client (PHP server) makes the request to this endpoint directly (e.g. a Guzzle request) and not through a browser (e.g. not a user redirect).
  • GET /oauth2/userInfo
• Logout endpoint
  • The backend server redirects the user's browser to this endpoint and does not make the request itself.
  • GET /logout
• Revocation endpoint
  • used to invalidate all of the access tokens that were generated by the specified refresh token.
  • The backend of the client (PHP server) makes the request to this endpoint directly (e.g. a Guzzle request) and not through a browser (e.g. not a user redirect).
  • POST /oauth2/revoke

The authorization endpoint and login endpoint appear to serve the same purpose and thus its hard to understand the difference between them.

References

• Amazon docs - Token endpoint
• Amazon Cognito user pools Auth API reference