npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

cognito-oauth-token-tester

v0.1.2

Published

Local browser tool to fetch and inspect AWS Cognito OAuth tokens for multiple users federated via Entra ID, forcing a fresh per-user login each time.

Downloads

454

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

nithish611nithish611

Keywords

cognitooauthoidcpkceentraazure-adid-tokenaccess-tokentoken-inspector

Readme

Cognito OAuth Token Tester

A local, browser-only tool to fetch and inspect AWS Cognito OAuth tokens (id_token, access_token, refresh_token) for multiple users federated through Entra ID. It forces a fresh, per-user login on every request so the external IDP's cached session can't silently return the wrong user's token.

Run

Without installing (uses the published build):

npx cognito-oauth-token-tester

This serves the app at http://localhost:4173 (override with PORT).

From source (for development):

npm install
npm run dev

Open http://localhost:5173.

Cognito app client requirements

  • Public client, no client secret.
  • PKCE enabled, grant type Authorization code.
  • Allowed callback URL includes http://localhost:5173 (must match the Redirect URI you enter in the app exactly).
  • Allowed sign-out URL includes http://localhost:5173 (required for the logout-first flow below).
  • Entra ID configured as an OIDC identity provider on the user pool; note its provider name (for identity_provider) or set an idp_identifier alias.

Entra app registration requirements (for the logout-first flow)

  • A post-logout redirect URI of http://localhost:5173 registered in the Entra app registration (Authentication → Front-channel logout / redirect URIs).
  • Your tenant id or domain (e.g. contoso.onmicrosoft.com), entered in the app's Entra tenant config field.

How it forces the right user

Important: Cognito does not reliably forward login_hint/prompt to a federated IdP like Entra. So those params alone do not switch users — Entra's cached SSO session silently returns whoever is already signed in. That is why this tool clears the sessions first.

Logout-first flow (default, recommended). When force fresh login is on, each Get Token click runs this sequence before authorizing:

  1. Cognito sign-out (/logout) — clears the Cognito hosted-UI session.
  2. Entra logout (/oauth2/v2.0/logout) — clears the Entra SSO cookie (only if an Entra tenant is configured).
  3. Authorize — now Cognito re-federates and Entra is forced to prompt, so you can sign in as the user you actually picked.

The authorize request still sends (each toggleable in the UI):

  • identity_provider / idp_identifier — skip the Cognito chooser, go to Entra.
  • login_hint=<email> — preselect the user if your setup forwards it.
  • prompt=login — request a fresh login if your setup forwards it.

If you turn force fresh login off, the app skips the logout steps and relies only on those params — which may return the cached user (see the note above).

Usage

  1. Fill in Cognito Configuration (saved to localStorage), including the Entra tenant if you want the Entra session cleared.
  2. Add user emails under Users.
  3. Click Get Token → for a user. The app clears the cached sessions, then Entra prompts you — sign in as that user — and you return with tokens.
  4. Each user gets a token card with a live expiry countdown, Refresh, auto-refresh toggle, copy buttons, and JWT decode.
  5. Verify you got the right user: expand decode on the id_token and check the email/sub claims match the user you picked.

Tests

npm run test

Security note

This is a local developer/testing tool. Tokens are stored in localStorage for convenience across the redirect round-trip. Do not deploy it as-is to a shared or public host.