CODEWITHSUNDEEP
.netamazon-web-servicessdkamazon-cognito
Lawrence.wule
Lawrence.wule

Reputation: 341

AWS Cognito RefreshToken API always show "SecretHash does not match for the client"

I have created an AWS Cognito Userpool and add an APPClient with secret. When I am using DotNet SDK to signup, signin, cofirmSignup, signout, these APIs are successful. However, when I tried to refresh accessToken via Refresh token, I always got exception "SecretHash does not match for the client: xxxxxx (App client Id)". Could anybody help? My codes are as following:

    var userPool = new CognitoUserPool(_cognitoSecret.CognitoUserPoolId, _cognitoSecret.CognitoAppClientId, _awsCognitoClient, appClientSecret);
    var cognitoUser = new CognitoUser(request.Username,
        _cognitoSecret.CognitoAppClientId, userPool, _awsCognitoClient, appClientSecret);

    cognitoUser.SessionTokens = new CognitoUserSession(null, null, request.RefreshToken, DateTime.UtcNow, DateTime.UtcNow.AddSeconds(Constants.DefaultTokenExpirationTime));

    var authRequest = new InitiateRefreshTokenAuthRequest
    {

        AuthFlowType = AuthFlowType.REFRESH_TOKEN_AUTH    // to refresh access token and id token
    };

    var response = await cognitoUser.StartWithRefreshTokenAuthAsync(authRequest);

And I also tried another way, but got the same exception:

    var refreshTokenRequest = new InitiateAuthRequest
    {
        ClientId = _cognitoSecret.CognitoAppClientId,
        AuthFlow = AuthFlowType.REFRESH_TOKEN_AUTH
    };

    refreshTokenRequest.AuthParameters.Add("REFRESH_TOKEN", request.RefreshToken);
    if (!string.IsNullOrWhiteSpace(_cognitoSecret.CognitoAppClientId) && !string.IsNullOrWhiteSpace(_cognitoSecret.CognitoAppClientSecret))
    {
        var secretHash = SecretHashComputation.GetSecretHash(request.Username,
            _cognitoSecret.CognitoAppClientId, _cognitoSecret.CognitoAppClientSecret);

        refreshTokenRequest.AuthParameters.Add("SECRET_HASH", secretHash);
    }

    var response = await _awsCognitoClient.InitiateAuthAsync(refreshTokenRequest);

Upvotes: 9

Views: 3017

Answers (1)

Lawrence.wule
Lawrence.wule

Reputation: 341

Finally, I found it by myself.

For AuthFlowType.REFRESH_TOKEN_AUTH, the SECRET_HASH must be computed by the Username (sub) in the Cognito User Pool, rather than the Email (If I choose Email as username when I create the User pool).

This is confusing because the SECRET_HASH has to be computed by Email in other AuthFlowType.

Upvotes: 25

Related Questions