stackoom
  简体   繁体   中英

AWS Cognito RefreshToken API always show "SecretHash does not match for the client"

 原文  2022-05-02 10:58:16       .net/ amazon-web-services/ sdk/ amazon-cognito

Question

I have created an AWS Cognito Userpool and add an APPClient with secret. When I am using DotNet SDK to signup, signin, cofirmSignup, signout, these APIs are successful. However, when I tried to refresh accessToken via Refresh token, I always got exception "SecretHash does not match for the client: xxxxxx (App client Id)". Could anybody help? My codes are as following:

    var userPool = new CognitoUserPool(_cognitoSecret.CognitoUserPoolId, _cognitoSecret.CognitoAppClientId, _awsCognitoClient, appClientSecret);
    var cognitoUser = new CognitoUser(request.Username,
        _cognitoSecret.CognitoAppClientId, userPool, _awsCognitoClient, appClientSecret);

    cognitoUser.SessionTokens = new CognitoUserSession(null, null, request.RefreshToken, DateTime.UtcNow, DateTime.UtcNow.AddSeconds(Constants.DefaultTokenExpirationTime));

    var authRequest = new InitiateRefreshTokenAuthRequest
    {

        AuthFlowType = AuthFlowType.REFRESH_TOKEN_AUTH    // to refresh access token and id token
    };

    var response = await cognitoUser.StartWithRefreshTokenAuthAsync(authRequest);

And I also tried another way, but got the same exception:

    var refreshTokenRequest = new InitiateAuthRequest
    {
        ClientId = _cognitoSecret.CognitoAppClientId,
        AuthFlow = AuthFlowType.REFRESH_TOKEN_AUTH
    };

    refreshTokenRequest.AuthParameters.Add("REFRESH_TOKEN", request.RefreshToken);
    if (!string.IsNullOrWhiteSpace(_cognitoSecret.CognitoAppClientId) && !string.IsNullOrWhiteSpace(_cognitoSecret.CognitoAppClientSecret))
    {
        var secretHash = SecretHashComputation.GetSecretHash(request.Username,
            _cognitoSecret.CognitoAppClientId, _cognitoSecret.CognitoAppClientSecret);

        refreshTokenRequest.AuthParameters.Add("SECRET_HASH", secretHash);
    }

    var response = await _awsCognitoClient.InitiateAuthAsync(refreshTokenRequest);

1 answers

solution1
 6  2022-05-03 13:48:33

Finally, I found it by myself.

For AuthFlowType.REFRESH_TOKEN_AUTH , the SECRET_HASH must be computed by the Username (sub) in the Cognito User Pool, rather than the Email (If I choose Email as username when I create the User pool).

This is confusing because the SECRET_HASH has to be computed by Email in other AuthFlowType .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question What does amr mean in aws cognito AWS API Gateway + Cognito + Lambda - $context.authorizer.principalId empty AWS Cognito Authentication USER_PASSWORD_AUTH flow not enabled for this client Decrypting cognito codes with KMS client from aws-sdk-v3 AWS Cognito - User profile usage and update via Cognito API or sync into separate database AWS Node JS MFA Cognito AWS Cognito - AdminInitiateAuth vs InitiateAuth AWS Cognito User Pool : Given an App client id, how to get its Pool Id? AWS Cognito : How to show custom attributes on the hosted sign-up UI? AWS cognito verification link issue
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM