[英]Cognito Authorization with Azure AD SAML integration returns id_token and access_token but no refresh token
I have a cognito User Pool with 1 client that is configured with 2 identity providers, Cognito User Pool
and a SAML provider that links an Azure AD instance.我有一个带有 1 个客户端的 Cognito 用户池,该客户端配置了 2 个身份提供程序、 Cognito User Pool
和一个链接 Azure AD 实例的 SAML 提供程序。 The Allowed OAuth Flows
is set Implicit grant only. Allowed OAuth Flows
设置为仅隐式授予。 Login via the Cognito User Pool provider is done using the InitiateAuthCommand
in the @aws-sdk/client-cognito-identity-provider
library.通过 Cognito 用户池提供程序登录是使用@aws-sdk/client-cognito-identity-provider
库中的InitiateAuthCommand
完成的。 From this an id_token, access_token and refresh token are all returned.由此返回一个 id_token、access_token 和刷新令牌。
Login via the SAML provider is done by using the template link provided in the cognito developer docs (https://your_Amazon_Cognito_userpool_domain/authorize? response_type=code&identity_provider=your-SAML-IdP-name&client_id=your- client-id&redirect_uri=https://your_application_redirect_url).使用 Cognito 开发人员文档中提供的模板链接通过 SAML 提供商登录 (https://your_Amazon_Cognito_userpool_domain/authorize?response_type=code&identity_provider=your-SAML-IdP-name&client_id=your-client-id&redirect_uri=https://your_application_redirect_url ). This login works, however only an id_token and access_token are returned (no refresh token).此登录有效,但仅返回 id_token 和 access_token(无刷新令牌)。
How can I get cognito to issue a refresh token for users logged in via the SAML provider如何让 cognito 为通过 SAML 提供商登录的用户颁发刷新令牌
Cognito should not return a refresh token for Implicit grant flow . Cognito 不应为隐式授权流返回刷新令牌。 That is the intended behaviour according to the specification :这是根据规范的预期行为:
The authorization server MUST NOT issue a refresh token.授权服务器不得发出刷新令牌。
Also using the implicit flow is highly discouraged due to vulnerabilities.由于存在漏洞,也非常不鼓励使用隐式流。
Please consider using Authorization code grant flow along with PKCE.请考虑将授权代码授予流程与 PKCE 一起使用。 With that you can get the refresh token .有了它,您可以获得刷新令牌。
The reason you get the refresh token along with the aws-sdk
is, because it should be using a different Auth flow (example: USER_PASSWORD_AUTH
) as mentioned in the document .您获得刷新令牌和aws-sdk
的原因是,它应该使用文档中提到的不同的身份验证流程(例如: USER_PASSWORD_AUTH
)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.