堆栈内存溢出
  简体   繁体   English

具有 Azure AD SAML 集成的 Cognito 授权返回 id_token 和 access_token 但没有刷新令牌

[英]Cognito Authorization with Azure AD SAML integration returns id_token and access_token but no refresh token

 原文  2022-12-13 15:29:55       azure-active-directory/ amazon-cognito/ aws-sdk-js

问题描述

I have a cognito User Pool with 1 client that is configured with 2 identity providers, Cognito User Pool and a SAML provider that links an Azure AD instance.我有一个带有 1 个客户端的 Cognito 用户池,该客户端配置了 2 个身份提供程序、 Cognito User Pool和一个链接 Azure AD 实例的 SAML 提供程序。 The Allowed OAuth Flows is set Implicit grant only. Allowed OAuth Flows设置为仅隐式授予。 Login via the Cognito User Pool provider is done using the InitiateAuthCommand in the @aws-sdk/client-cognito-identity-provider library.通过 Cognito 用户池提供程序登录是使用@aws-sdk/client-cognito-identity-provider库中的InitiateAuthCommand完成的。 From this an id_token, access_token and refresh token are all returned.由此返回一个 id_token、access_token 和刷新令牌。

Login via the SAML provider is done by using the template link provided in the cognito developer docs (https://your_Amazon_Cognito_userpool_domain/authorize? response_type=code&identity_provider=your-SAML-IdP-name&client_id=your- client-id&redirect_uri=https://your_application_redirect_url).使用 Cognito 开发人员文档中提供的模板链接通过 SAML 提供商登录 (https://your_Amazon_Cognito_userpool_domain/authorize?response_type=code&identity_provider=your-SAML-IdP-name&client_id=your-client-id&redirect_uri=https://your_application_redirect_url ). This login works, however only an id_token and access_token are returned (no refresh token).此登录有效,但仅返回 id_token 和 access_token(无刷新令牌)。

How can I get cognito to issue a refresh token for users logged in via the SAML provider如何让 cognito 为通过 SAML 提供商登录的用户颁发刷新令牌

1 个解决方案

解决方案1
 1 已采纳  2022-12-14 09:02:15

Cognito should not return a refresh token for Implicit grant flow . Cognito 不应为隐式授权流返回刷新令牌 That is the intended behaviour according to the specification :这是根据规范的预期行为:

The authorization server MUST NOT issue a refresh token.授权服务器不得发出刷新令牌。

Also using the implicit flow is highly discouraged due to vulnerabilities.由于存在漏洞,也非常不鼓励使用隐式流。

Please consider using Authorization code grant flow along with PKCE.请考虑将授权代码授予流程与 PKCE 一起使用。 With that you can get the refresh token .有了它,您可以获得刷新令牌

The reason you get the refresh token along with the aws-sdk is, because it should be using a different Auth flow (example: USER_PASSWORD_AUTH ) as mentioned in the document .您获得刷新令牌和aws-sdk的原因是,它应该使用文档中提到的不同的身份验证流程(例如: USER_PASSWORD_AUTH )。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 自定义属性未传递到 AWS Cognito 创建的 ID_TOKEN - Custom attribute not passed into ID_TOKEN created by AWS Cognito id Token vs access_token google login web 中的 api - id Token vs access_token google login api in web AWS Cognito JWT 身份验证适用于 ID 令牌,但不适用于访问令牌? 返回 401 - AWS Cognito JWT authentication works with the ID Token, but not the Access Token? Returns 401 gitlab - 使用 access_token 推送到存储库 - gitlab - Push to a repository using access_token aws cognito 用户获取 id 令牌 android - aws cognito user get id token android 如何将电子邮件添加到 Cognito 访问令牌? - How to add email to Cognito access token? 手动设置 AWS Cognito 访问令牌超时 - Set AWS Cognito access token timeout manually AWS cognito 在谷歌身份验证后检索刷新令牌 - AWS cognito to retrieving refresh token after google authentication 谷歌刷新令牌在 Azure 中抛出过期错误 - Google Refresh Token throws Expire Error in Azure 您如何使用 Microsoft Identity 和 Azure AD 处理身份验证和令牌刷新 - How do you handle authentication and token refresh with Microsoft Identity and Azure AD
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM