-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cognito StartWithRefreshTokenAuthAsync does not respect client secret #35
Comments
Any status update for this? |
Any update ? |
Hi @berniezhao11, Good afternoon. I tried to reproduce the issue. However, it is not reproducible using the following code: using System;
using System.Threading.Tasks;
using Amazon;
using Amazon.CognitoIdentityProvider;
using Amazon.Extensions.CognitoAuthentication;
using Amazon.Runtime;
namespace CognitoStartWithRefreshTokenAuthAsync
{
class Program
{
private static string userPoolId = "<User Pool ID>";
private static string clientId = "<App Client ID>";
private static string clientSecret = "<App Client Secret>";
private static RegionEndpoint regionEndpoint = RegionEndpoint.USEast2; // Change the region appropriately. Credentials are loaded from default profile.
static void Main(string[] args)
{
Console.WriteLine("User Name: ");
string userName = Console.ReadLine();
while (string.IsNullOrWhiteSpace(userName))
{
Console.WriteLine("Please enter a valid User Name.");
userName = Console.ReadLine();
}
Console.WriteLine("Do you have a Refresh Token (Y/N): ");
char hasRefreshTokenResponse = Convert.ToChar(Console.Read());
bool hasRefreshToken = (char.ToLower(hasRefreshTokenResponse) == 'y');
Console.WriteLine();
Console.WriteLine("Password: ");
string password = Console.ReadLine();
while (string.IsNullOrWhiteSpace(password) && !hasRefreshToken)
{
Console.WriteLine("Please enter a valid Password.");
password = Console.ReadLine();
}
Console.WriteLine("Existing Refresh Token: ");
string refreshToken = Console.ReadLine();
while (string.IsNullOrWhiteSpace(refreshToken) && hasRefreshToken)
{
Console.WriteLine("Please enter a valid Refresh Token.");
refreshToken = Console.ReadLine();
}
AuthFlowResponse authFlowResponse = (!string.IsNullOrWhiteSpace(refreshToken) ? GetCredsFromRefreshAsync(userName, refreshToken).GetAwaiter().GetResult() : GetCredentials(userName, password).GetAwaiter().GetResult());
}
public static async Task<AuthFlowResponse> GetCredentials(string userName, string password)
{
var provider = new AmazonCognitoIdentityProviderClient(new AnonymousAWSCredentials(), FallbackRegionFactory.GetRegionEndpoint());
var userPool = new CognitoUserPool(userPoolId, clientId, provider, clientSecret);
var user = new CognitoUser(userName, clientId, userPool, provider, clientSecret);
AuthFlowResponse authResponse = await user.StartWithSrpAuthAsync(new InitiateSrpAuthRequest()
{
Password = password
}).ConfigureAwait(false);
while (authResponse.AuthenticationResult == null)
{
if (authResponse.ChallengeName == ChallengeNameType.NEW_PASSWORD_REQUIRED)
{
Console.WriteLine("Enter your desired new password: ");
string newPassword = Console.ReadLine();
authResponse = await user.RespondToNewPasswordRequiredAsync(new RespondToNewPasswordRequiredRequest()
{
SessionID = authResponse.SessionID,
NewPassword = newPassword
});
}
else if (authResponse.ChallengeName == ChallengeNameType.SMS_MFA)
{
Console.WriteLine("Enter the MFA Code sent to your device: ");
string mfaCode = Console.ReadLine();
authResponse = await user.RespondToSmsMfaAuthAsync(new RespondToSmsMfaRequest()
{
SessionID = authResponse.SessionID,
MfaCode = mfaCode
}).ConfigureAwait(false);
}
else
{
Console.WriteLine("Unrecognized authentication challenge.");
return null;
}
}
return authResponse;
}
public static async Task<AuthFlowResponse> GetCredsFromRefreshAsync(string userName, string refreshToken)
{
AmazonCognitoIdentityProviderClient provider = new AmazonCognitoIdentityProviderClient(new AnonymousAWSCredentials(), FallbackRegionFactory.GetRegionEndpoint());
CognitoUserPool userPool = new CognitoUserPool(userPoolId, clientId, provider, clientSecret);
CognitoUser user = new CognitoUser(userName, clientId, userPool, provider, clientSecret);
user.SessionTokens = new CognitoUserSession(null, null, refreshToken, DateTime.Now, DateTime.Now.AddHours(1));
InitiateRefreshTokenAuthRequest refreshRequest = new InitiateRefreshTokenAuthRequest()
{
AuthFlowType = AuthFlowType.REFRESH_TOKEN_AUTH
};
return await user.StartWithRefreshTokenAuthAsync(refreshRequest).ConfigureAwait(false);
}
}
} .csproj file <Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<OutputType>Exe</OutputType>
<TargetFramework>netcoreapp3.1</TargetFramework>
</PropertyGroup>
<ItemGroup>
<PackageReference Include="AWSSDK.Extensions.CognitoAuthentication" Version="0.9.4" />
</ItemGroup>
</Project> STEPS
The refresh token flow works properly, where secret is configured for app client. (I do see that the RefreshToken in user object after executing Please confirm if this is still an issue with the latest version of AWSSDK.Extensions.CognitoAuthentication (version 0.9.4 used in above example) or if this issue could be closed. Thanks, |
This issue has not recieved a response in 2 weeks. If you want to keep this issue open, please just leave a comment below and auto-close will be canceled. |
Problem
When using refresh token to authenticate against a client that has clientSecret, it throws exception
Unable to verify secret hash for client
Sample code
Analysis
When authenticating using password, the
SecretHash
property is generated and will be used in further validation.However when authenticating using refresh token, the SecretHash is never created.
The text was updated successfully, but these errors were encountered: