cristiandb
cristiandb

Reputation: 61

Cognito - User Pools App Integration and Federation - ¿How refresh id_token?

Im using a new feature of AWS Cognito, its an App integrated with User Pool for more detail see https://github.com/aws/amazon-cognito-auth-js. Here there is an example, in this example I can get the id token, the access token but the refresh token is empty.

I checked the documentation in Amazon Congito --> Amazon Cognito API Reference --> Amazon Cognito Auth API Reference --> AUTHORIZATION Endpoint

"The Amazon Cognito authorization server redirects back to your app with access token. Since openid scope was not requested, an ID token is not returned. A refresh token is never returned in this flow. Token and state are returned in the fragment and not in the query string".

"The authorization server redirects back to your app with access token and ID token (because openid scope was included)."

Note: Here dont said nothing about refresh token, but its response this endopoint is

"https://YOUR_APP/redirect_ur#id_token=ID_TOKEN&access_token=ACCESS_TOKEN&token_type=bearer&expires_in=3600&state=STATE"

Then ¿I dont know how a can refresh my id_token to use for more than an hour? (whit openid scope)

Upvotes: 1

Views: 1444

Answers (2)

Sean Connolly
Sean Connolly

Reputation: 5801

There's a lot going on in this question and answer. I'll say that for me, switching to a user pool with no secret key did the trick.

Upvotes: 0

cristiandb
cristiandb

Reputation: 61

There are two auth flow

  • implicit flow: Only sends tokenId an Access Token
  • Auth grant flow:At first you get a code, that you can interchange for a triplet token (TokenId, Access Token and Refresh Token)

I was using implicit flow and for this I couldnt get the refresh token. In the example, in the index.html file, there is a line "auth.useCodeGrantFlow();" If you uncomment this line you switch implicit flow --> Auth grant flow. In this moment there is a pull request because there is a bug in this flow. For more detail enter link description here (pull request #32)

I have changed dist/amazon-cognito-auth.js file for the same file from the pull request and it work fine

Note: Is important configure your app in Cognito User pool without Secret because if you dont do this you have "invalid_client" error. This is because the sdk doesnt contemplates the header "Authorization" when does the post to /oauth/token endopoint in the Auth grant flow

Upvotes: 2

Related Questions