How to store idToken and how to retrieve it?

[guillaumedenece]

Hi!

Is there a method with amazon-cognito-auth-js, similar to the one using amazon-cognito-identity-js, to store the data of the current logged in user and retrieve the idToken of this user?

Using amazon-cognito-identity-js, it is possible to make it this way:

Storing user data:

const userPool = new CognitoUserPool({
      UserPoolId: config.cognito.USER_POOL_ID,
      ClientId: config.cognito.APP_CLIENT_ID
    });
    const user = new CognitoUser({ Username: email, Pool: userPool });
    const authenticationData = { Username: email, Password: password };
    const authenticationDetails = new AuthenticationDetails(authenticationData);

    return new Promise((resolve, reject) =>
      user.authenticateUser(authenticationDetails, {
        onSuccess: result => resolve(),
        onFailure: err => reject(err)
      })
    );

Retrieving the idToken of the current user logged in:

const userPool = new CognitoUserPool({
    UserPoolId: config.cognito.USER_POOL_ID,
    ClientId: config.cognito.APP_CLIENT_ID
  });
  var currentUser = userPool.getCurrentUser();
  currentUser.getSession(function(err, session) {
    var idToken = session.getIdToken().getJwtToken();
  });

Thank you very much! Guillaume

[itrestian]

If you look in the readme, use case 2 has a getSession method as well.

[yuntuowang]

To retrieve the idToken of this user, you can follow the case 2 in the README.md.

[yuntuowang]

Hi @guillaumedenece, did retrieving idToken work for you following use case 2? Please let me know if you have more questions!

[jglanz]

I'm seeing an odd issue, i only seem to get a valid accessToken and not an id or refresh token, am i missing something?

[yuntuowang]

Hi @jglanz, if you are using implicit grant flow, you will get tokens. However, which tokens you will get depends on the scope you configured for this app client on Cognito console. For example, if you didn't choose 'openid' and only chose 'email' as a scope, you will only get accessToken. When you chose 'openid' as a scope or you chose nothing for scope(by default, cognito will choose 'openid' when you chose nothing for scope), you will get access token and id token.

If you are using authorization code grant flow, you will get code, our auth SDK will take care of the rest of logics, e.g. exchanging code for tokens(including refresh token), refresh tokens using refresh token, etc.

Let me know if you have any other questions!

[rboortman-skim]

I'm seeing a similar issue and I can't wrap my head it.

I have the following use case: Within the Cognito Console, I created a group called admin and (manually) added users to this group. This group should be accessible in the application for visual changes only. Within my application I'm letting user log in via the App Integration provided by AWS. From what I've read, I can use the cognito:groups property of the idToken of the user to see if the user is part of the admin group. I've tested this without the App Integration and that works fine. However, once I enable App Integration for the authentication process, I'm getting back an empty idToken, whereas the accessToken and refreshToken are filled and have a payload.

In the Cognito Console, in the App client settings of this app I enabled both the Authorization code grant and Implicit grant OAuth Flows as well as all the listed scopes (including the openid scope). Is there something else I'm doing wrong that results in me not getting back the idToken?

[yuntuowang]

Hi @rboortman-skim, I am assuming you are using Authorization code grant flow since you have refreshToken, correct?

In this case, you said you got back an empty idToken, is it just absent or it just doesn't have any claims inside?

I think you can try with Postman for the exchange code for tokens to if it works: About the detailed steps, you can refer here: https://github.com/aws/amazon-cognito-auth-js/issues/52

[rboortman-skim]

Hi @yuntuowang,

Thank you for the quick response. First of all, I am using the Authorization code grant flow:

About the response I get back, I get a successful CognitoAuthSession back with an empty idToken property:

I was not able to get Postman to work, I got a 405 Method Not Allowed Error:

edit: I analysed it further and you are correct, I'm not receiving any idToken back from the server:

[rboortman-skim]

Ok, in regards to to Postman request. I sent the request to the wrong address (/oauth2/authorize in stead of /oauth2/token), but when sending the request to the correct address I'm still getting a 400 Bad Request error.

What am I doing wrong?

The app client is configured without an app client secret by the way.

[rboortman-skim]

I was finally able to solve my own problem. I only had the email scope inside the TokenScopesArray of the authData given to the CognitoAuth object. When I added the openid scope as well, the idToken was sent back to the client.

I still don't know why postman isn't working for me, but at least my client application is working

[yuntuowang]

Hi @rboortman-skim, so glad it works for your application. Yes, "invalid_request" can be many reasons, usually cause of the inconsistency of your app client console setting with your App implementation, such as your case(scopes are inconsistent).