-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to verify secret hash for client #2736
Comments
@Mohd-gslab - Thank you for your post. I think the most likely issues are incorrect client id or secret. The refresh token could also be expired. |
Hi
Thanks for reply
No refresh token is not expired
Could you please try it at your end and check if there is any bug in boto
or cognito handling generated secret hash
On Wed, 27 Jan 2021 at 4:00 AM, swetashre ***@***.***> wrote:
@Mohd-gslab <https://github.com/Mohd-gslab> - Thank you for your post. I
think the most likely issues are incorrect client id or secret. The refresh
token could also be expired.
As you have already mentioned that you are not getting error with sign up
method then can you please check if your refresh token is expired ?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#2736 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AHG5YWL7DMYIX4A235XFD5TS3467DANCNFSM4WPOGBFA>
.
--
Sent from my iPhone, pardon typo
…--
Confidentiality Notice and Disclaimer: This email (including any
attachments) contains information that may be confidential, privileged
and/or copyrighted. If you are not the intended recipient, please notify
the sender immediately and destroy this email. Any unauthorized use of the
contents of this email in any manner whatsoever, is strictly prohibited. If
improper activity is suspected, all available information may be used by
the sender for possible disciplinary action, prosecution, civil claim or
any remedy or lawful purpose. Email transmission cannot be guaranteed to be
secure or error-free, as information could be intercepted, lost, arrive
late, or contain viruses. The sender is not liable whatsoever for damage
resulting from the opening of this message and/or the use of the
information contained in this message and/or attachments. Expressions in
this email cannot be treated as opined by the sender company management –
they are solely expressed by the sender unless authorized.
|
@Mohd-gslab - I tried but i am not able to reproduce the issue. Could you verify from the debug logs that whenever we are making api call all the parameters are correctly set ? You can enable log by adding |
Greetings! It looks like this issue hasn’t been active in longer than a week. We encourage you to check if this is still an issue in the latest release. Because it has been longer than a week since the last update on this, and in the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or add an upvote to prevent automatic closure, or if the issue is already closed, please feel free to open a new one. |
Hi. We are have the same issue. Signup works fine, but when we are trying to renew token it fails. We are using pycognito wich generates secret hash with this method
|
Can anyone provide detailed steps so that we can try reproduce the issue ? It would be helpful if anyone could provide debug logs. You can enable log by adding |
Hello @MaximZemskov. Was this issue resolved or not? |
@SheryarButt Hey. Yes it was resolved, but not by me. For other person problem was using email instead the uuid for username. |
Hi @Mohd-gslab or @SheryarButt, To assist further we will need to see complete debug logs as previously requested. You can enable log by adding |
Greetings! It looks like this issue hasn’t been active in longer than a week. We encourage you to check if this is still an issue in the latest release. Because it has been longer than a week since the last update on this, and in the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or add an upvote to prevent automatic closure, or if the issue is already closed, please feel free to open a new one. |
Those who are still getting the issue can check out this answer: |
If you use email as your username, use the Cognito-assigned UUID username when calculating the secret hash not the email address. |
Hi Boto3 Team
We are trying to refresh IdToken using Refresh Token with the help boto3 API. Below is the python piece code:
client = boto3.client('cognito-idp')
client.initiate_auth(
ClientId=client_id,
AuthFlow='REFRESH_TOKEN_AUTH',
AuthParameters={
'REFRESH_TOKEN': refresh_token,
'SECRET_HASH': get_secret_hash(username)
}
get_secret_hash(username, client_id, client_secret) is defined as below:
message = username + client_id
dig = hmac.new(bytearray(client_secret, "utf-8"), msg=message.encode('UTF-8'),
digestmod=hashlib.sha256).digest()
return base64.b64encode(dig).decode()
We get below error when we call client.initiate_auth method defined above:
botocore.errorfactory.NotAuthorizedException: An error occurred (NotAuthorizedException) when calling the InitiateAuth operation: Unable to verify secret hash for client 2cbjb*******
Note: We are using the same function get_secret_hash to generate secret_hash for signup method in boto3 and that works fine.
Boto3 version - 1.16.58
Botocore version - 1.19.58
Please let us know if we are missing something for generating IDToken from refresh token
The text was updated successfully, but these errors were encountered: