Cognito - User Pools App Integration and Federation - ¿How refresh id_token?

1
votes

Im using a new feature of AWS Cognito, its an App integrated with User Pool for more detail see https://github.com/aws/amazon-cognito-auth-js. Here there is an example, in this example I can get the id token, the access token but the refresh token is empty.

I checked the documentation in Amazon Congito --> Amazon Cognito API Reference --> Amazon Cognito Auth API Reference --> AUTHORIZATION Endpoint

  • For scope without openid

"The Amazon Cognito authorization server redirects back to your app with access token. Since openid scope was not requested, an ID token is not returned. A refresh token is never returned in this flow. Token and state are returned in the fragment and not in the query string".

  • For scope with openid

"The authorization server redirects back to your app with access token and ID token (because openid scope was included)."

Note: Here dont said nothing about refresh token, but its response this endopoint is

"https://YOUR_APP/redirect_ur#id_token=ID_TOKEN&access_token=ACCESS_TOKEN&token_type=bearer&expires_in=3600&state=STATE"

Then ¿I dont know how a can refresh my id_token to use for more than an hour? (whit openid scope)

2
amazon-web-servicesaws-sdkaws-cognito

2 Answers

2
votes

There are two auth flow

  • implicit flow: Only sends tokenId an Access Token
  • Auth grant flow:At first you get a code, that you can interchange for a triplet token (TokenId, Access Token and Refresh Token)

I was using implicit flow and for this I couldnt get the refresh token. In the example, in the index.html file, there is a line "auth.useCodeGrantFlow();" If you uncomment this line you switch implicit flow --> Auth grant flow. In this moment there is a pull request because there is a bug in this flow. For more detail enter link description here (pull request #32)

I have changed dist/amazon-cognito-auth.js file for the same file from the pull request and it work fine

Note: Is important configure your app in Cognito User pool without Secret because if you dont do this you have "invalid_client" error. This is because the sdk doesnt contemplates the header "Authorization" when does the post to /oauth/token endopoint in the Auth grant flow

0
votes

There's a lot going on in this question and answer. I'll say that for me, switching to a user pool with no secret key did the trick.