Unable to verify secret hash for client

[siddiquebagwan-gslab]

Hi Boto3 Team

We are trying to refresh IdToken using Refresh Token with the help boto3 API. Below is the python piece code:
client = boto3.client('cognito-idp')
client.initiate_auth(
ClientId=client_id,
AuthFlow='REFRESH_TOKEN_AUTH',
AuthParameters={
'REFRESH_TOKEN': refresh_token,
'SECRET_HASH': get_secret_hash(username)
}

get_secret_hash(username, client_id, client_secret) is defined as below:
message = username + client_id
dig = hmac.new(bytearray(client_secret, "utf-8"), msg=message.encode('UTF-8'),
digestmod=hashlib.sha256).digest()
return base64.b64encode(dig).decode()

We get below error when we call client.initiate_auth method defined above:
botocore.errorfactory.NotAuthorizedException: An error occurred (NotAuthorizedException) when calling the InitiateAuth operation: Unable to verify secret hash for client 2cbjb*******

Note: We are using the same function get_secret_hash to generate secret_hash for signup method in boto3 and that works fine.
Boto3 version - 1.16.58
Botocore version - 1.19.58

Please let us know if we are missing something for generating IDToken from refresh token

[swetashre]

@Mohd-gslab - Thank you for your post. I think the most likely issues are incorrect client id or secret. The refresh token could also be expired.
As you have already mentioned that you are not getting error with sign up method then can you please check if your refresh token is expired ?

[siddiquebagwan-gslab]

Hi Thanks for reply No refresh token is not expired Could you please try it at your end and check if there is any bug in boto or cognito handling generated secret hash

On Wed, 27 Jan 2021 at 4:00 AM, swetashre ***@***.***> wrote: @Mohd-gslab <https://github.com/Mohd-gslab> - Thank you for your post. I think the most likely issues are incorrect client id or secret. The refresh token could also be expired. As you have already mentioned that you are not getting error with sign up method then can you please check if your refresh token is expired ? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#2736 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AHG5YWL7DMYIX4A235XFD5TS3467DANCNFSM4WPOGBFA> .

-- Sent from my iPhone, pardon typo

…

-- Confidentiality Notice and Disclaimer: This email (including any attachments) contains information that may be confidential, privileged and/or copyrighted. If you are not the intended recipient, please notify the sender immediately and destroy this email. Any unauthorized use of the contents of this email in any manner whatsoever, is strictly prohibited. If improper activity is suspected, all available information may be used by the sender for possible disciplinary action, prosecution, civil claim or any remedy or lawful purpose. Email transmission cannot be guaranteed to be secure or error-free, as information could be intercepted, lost, arrive late, or contain viruses. The sender is not liable whatsoever for damage resulting from the opening of this message and/or the use of the information contained in this message and/or attachments. Expressions in this email cannot be treated as opined by the sender company management – they are solely expressed by the sender unless authorized.

[swetashre]

@Mohd-gslab - I tried but i am not able to reproduce the issue. Could you verify from the debug logs that whenever we are making api call all the parameters are correctly set ? You can enable log by adding boto3.set_stream_logger('') to your code.

[github-actions]

Greetings! It looks like this issue hasn’t been active in longer than a week. We encourage you to check if this is still an issue in the latest release. Because it has been longer than a week since the last update on this, and in the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or add an upvote to prevent automatic closure, or if the issue is already closed, please feel free to open a new one.

[MaximZemskov]

Hi. We are have the same issue. Signup works fine, but when we are trying to renew token it fails. We are using pycognito wich generates secret hash with this method

@staticmethod
def get_secret_hash(username, client_id, client_secret):
    message = bytearray(username + client_id, "utf-8")
    hmac_obj = hmac.new(bytearray(client_secret, "utf-8"), message, hashlib.sha256)
    return base64.standard_b64encode(hmac_obj.digest()).decode("utf-8")

[MaximZemskov]

Looks like refresh_token returned by respond_to_auth_challenge is broken. Currently investigating where is a problem.

[swetashre]

Can anyone provide detailed steps so that we can try reproduce the issue ? It would be helpful if anyone could provide debug logs. You can enable log by adding boto3.set_stream_logger('') to your code.

[SheryarButt]

Hello @MaximZemskov. Was this issue resolved or not?
I'm facing the same issue as above.

[MaximZemskov]

@SheryarButt Hey. Yes it was resolved, but not by me. For other person problem was using email instead the uuid for username.

[kdaily]

Hi @Mohd-gslab or @SheryarButt,

To assist further we will need to see complete debug logs as previously requested. You can enable log by adding boto3.set_stream_logger('') to your code. Thank you!

[github-actions]

Greetings! It looks like this issue hasn’t been active in longer than a week. We encourage you to check if this is still an issue in the latest release. Because it has been longer than a week since the last update on this, and in the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or add an upvote to prevent automatic closure, or if the issue is already closed, please feel free to open a new one.

[antarsaha9]

Those who are still getting the issue can check out this answer:

https://stackoverflow.com/a/54508553

[khordoo]

If you use email as your username, use the Cognito-assigned UUID username when calculating the secret hash not the email address.
The UUID can be decoded from the IdToken that you received after the login.