Working sample of Authorization code grant flow?

[railsstudent]

Can amazaon provide an sample of Authorization code grant flow?

I tried to use google to login Cognito User Pool but token endpoint returns 'invalid_client' When I returned client id and client secret of google in header and encrypted with base64, the endpoint returned "internal error" error message.

I am stumped here. Thanks

[yuntuowang]

Hi @Elayaraja-Dhanapal, are you using the newest version of this Auth SDK?

Currently Auth SDK doesn't depend on aws-sdk anymore.

We use this way to initialize now: var auth = new AmazonCognitoIdentity.CognitoAuth(authData); Please see the sample to see more details. https://github.com/aws/amazon-cognito-auth-js/tree/master/sample

Also, when it went to auth.userhandler.onFailure(), what error message you saw on the login screen?? You can debug from there. You may have some settings about app client not correct.

[Elayaraja-Dhanapal]

Hi @Crystal Wang, thank you for the quick response and solution.

I took the latest file and updated the method according to your comments.

After entering credentials, and hitting login button, the page is loaded with the below URL,

https://myURL/onelogin.html?code=1eadf067-1797-4e7e-9742-39273a931cdb&state=oewSwop59scqesBJrqIndXLqNKRJnUPC

The page reloads indefinitely and the code and state values are changing with the indefinite redirectURL calls.

There is not error coming from the auth.userhandler -> onFailure call. I see it as blank.

Could you please provide me the working example for the same? If setting and getting the state parameter included will help me a lot!

Thank you in advance!

[yuntuowang]

Hello, @Elayaraja-Dhanapal, what do you mean "you set it blank"? You mean you set the onFailure() as blank?

The working sample is https://github.com/aws/amazon-cognito-auth-js/blob/master/sample/index.html Setting and getting state parameter is supported in this sample too. Many other developers including me use it and works well. Can you carefully read it and put your own value in the value holder and try? Cause it is really hard for me to help me debug at this point. If you directly download the sample and follow the instruction to use it, it will work.

[Elayaraja-Dhanapal]

Hi @Crystal Wang,

Once again, thank you for the quick response!

What I meant was that the onFailure(err), the err or exception received through the argument is empty. So nothing is displayed on the console.

It is working fine in Chrome browser but the problem actually is in Mozilla Firefox browser.

Strange :-(

I will take a look in the sample code on setting and getting the state parameter. thank you!

On Mon 14 May, 2018, 12:03 AM Crystal Wang, notifications@github.com wrote:

Hello, @Elayaraja-Dhanapal https://github.com/Elayaraja-Dhanapal, what do you mean "you set it blank"? You mean you set the onFailure() as blank?

The working sample is https://github.com/aws/amazon-cognito-auth-js/blob/master/sample/index.html Setting and getting state parameter is supported in this sample too. Many other developers including me use it and works well. Can you carefully read it and put your own value in the value holder and try? Cause it is really hard for me to help me debug at this point. If you directly download the sample and follow the instruction to use it, it will work.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/aws/amazon-cognito-auth-js/issues/52#issuecomment-388646673, or mute the thread https://github.com/notifications/unsubscribe-auth/AUSeBmqy5tULDWV9RDmz03uZcasDlTmxks5tyHxigaJpZM4Q48aP .

[yuntuowang]

Hi @Elayaraja-Dhanapal, I see. Let me know if you still cannot make the Firefox working. Thanks!!

[Elayaraja-Dhanapal]

Hi @yuntuowang, I am still not able to make it work in Firefox. However the code works fine in Chrome and IE (with polyfil).

Please find the details below,

1. Onload open login screen

code snippet in login.js called onload!

tokenScopesArray = ['email', 'openid']; Other authData details are populated from the json file.

var auth = new AmazonCognitoIdentity.CognitoAuth(authData); auth.userhandler = { onSuccess: function(result) { signedIn(result); }, onFailure: function(err) {
console.log("Error!" + err); //err value is coming as empty.
} }; auth.useCodeGrantFlow(); auth.parseCognitoWebResponse(curUrl);
auth.getSession();

2. After I enter the cognito username and password, The console is displayed with Error!

3. I see that in firefox (version 52.8.0) continuously reloading with below URL with 302 code,

"https://siteURL/onelogin.html?code=0c597415-d3f2-4df0-ad46-ef428dc5b0b8&state=XgujViE6Vy0BrRdjxYqu2PTiNw6C1L1W"

"https://siteURL?code=59fce4fb-b9af-4f18-8bc3-d01c08f81340&state=yVmxMEAwltBADpXnFJMER3cv7wJcvhYw"

cookies values remain the same!

Could you please help me to solve it?

Thank you!

[Elayaraja-Dhanapal]

Hi Crystal Wang,

In Firefox the issue is still there, however if I add a delay in launchURL method on calling window.open, it works like a charm. But I think this is not the actual fix.

For every one hour, the RefreshToken will be expired and I need to get the new RefreshToken. I am using to aws auth as well as indentity js files. But when used together CognitoAuth is not working.

I get this error --> TypeError: AmazonCognitoIdentity.CognitoAuth is not a constructor

On Mon, May 14, 2018 at 12:43 AM, Crystal Wang notifications@github.com wrote:

Hi @Elayaraja-Dhanapal https://github.com/Elayaraja-Dhanapal, I see. Let me if you still cannot make the Firefox working. Thanks!!

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/aws/amazon-cognito-auth-js/issues/52#issuecomment-388649244, or mute the thread https://github.com/notifications/unsubscribe-auth/AUSeBq1XY5Pt1boxwc1MQqLzLSvKC9DPks5tyIXugaJpZM4Q48aP .

[james-s-turner]

The original question asked "Can amazon provide an sample of Authorization code grant flow?" Has anyone managed to find anything. If anyone from Amazon is listening - is there any?

[chamathsilva]

@james-s-turner Hope this will help you https://github.com/chamathsilva/Working-sample-of-Authorization-code-grant-flow

[james-s-turner]

@chamathsilva Thanks for your reply. However the example you gave is for client-side authorization. The secret tokens are transmitted over the network and stored on the client. This would be vetoed by our security group. I want to do serverside authentication - where the identity provider redirects the single use 'authorization_code' back to a lambda function. The lambda function exchanges the authorization code for the JWT containing the secret Oauth2 tokens. The secret tokens never go to the browser. The lambda function then creates http only session cookies. Is there any guidance on how to get such a scheme working?

[shamseerpc]

@yuntuowang I am using amazon cognito user pool for login.for testing purpose how do i integrate getting code part in postman ?

[Sreeraok]

can you guys upload working angular/cli sample with components for auth sdk?

[valdanoelnagm]

Hello yuntuowang, You seem very helpful. Thank you for everything.I have a small issue. I'm getting Invalid_Client error when trying to exchange an Authorization Code for Tokens. I unchecked generate client secret box in the Cognito app client setting, and haven't configure any client secrets. I'm able to get authentication codes. Also, in the basic authentication i'm using credentials. or what do you think i should use ?

[chamathsilva]

@valdanoelnagm I got the same issue when I test the code exchange API. just try to test it using curl command instead of the postman. That's work for me.

[Mistakyle]

I am making a post to the following request and getting:

{ "error": "invalid_request" }

I can confirm the clientId is correct, and I have disabled the generate client secret option.

does anyone have any guidance?

[LUS1N]

@yuntuowang Hi, is the authorisation code grant with PKCE flow working?

This issue is the only thing I could find that even remotely discusses auth flow issues.

When calling the AUTHORIZE endpoint I use a random string (conforming to the requirements A-Za-z0-9) that is hashed with sha256 and base64 encoded as code_challenge. I manage to get the code. Then when I'm trying to get the token I use that same random string (before it's hashed and base64 encoded) as code_verifier.

My request is identical to the one in the TOKEN endpoint documentation for Exchanging an Authorization Code Grant with PKCE for Tokens. (with my values). EXCEPT for the Authorisation header, which I do not include as my application does not have a secret.

What I receive is invalid_request the first time and then invalid_grant in the subsequent requests (I take it the code is marked as used at this point).

[atagunduzalp]

Hello @LUS1N
I was struggling exactly the same problem as you describe above. When I first read it I was like "when I put my question down here?". It took 3 days to solve it but finally I got the tokens on my screen !

For me, the problem was code_challenge that I try to generate. Yeap, that was it. That simple. Here I dropped a python script that I run and finally got it worked. Hope you will handle too, or allready have done !

[LUS1N]

@atagunduzalp thx! I actually have also solved it already but forgot I made this comment :)

[nithinhuliyappa]

Hi, I am using the cognito hosted UI for login (implicit grant), I am able to login successfully. I received the access token as a hash in the callback URL. How do I extract the token from the URL and get the user details like Name and PhoneNumber?

My requestURL is as below https:///login?response_type=token&client_id=*****&redirect_uri=http://localhost:8080/searchEvent

Redirected URL is as belwo

http://localhost:8080/searchEvent#id_token=**************&access_token=************&expires_in=3600&token_type=Bearer

[LUS1N]

@nithinhuliyappa you need to extract it from the id token using some jwt decoding library.

you can paste it in https://jwt.io/ to see what it looks like when decoded and also find a library for your language.

[nithinhuliyappa]

@LUS1N thanks for the reply.

However, the challenge is accessing the Id_token returned from aws Cognito from the backend code (node.js). Since Id_token is URL Fragment it can't be passed on to backend. Any suggestions for accessing the URL fragment from backend is appreciated!

Note: I am able to extract the URL fragment on the browser using window.location.hash

[LUS1N]

@nithinhuliyappa if you have a backend app that is capable of holding a secret - use the authorization code grant flow instead of implicit grant. If you don’t know what I’m talking about, read this - https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth

[nithinhuliyappa]

@yuntuowang I am getting 405 method not allowed error when post request is made to outh2/token endpoint. Please help!

[nithinhuliyappa]

@nithinhuliyappa if you have a backend app that is capable of holding a secret - use the authorization code grant flow instead of implicit grant. If you don’t know what I’m talking about, read this - https://developer.okta.com/blog/2017/06/21/what-the-heck-is-oauth

getting 405 method not allowed error when the request is made to the token endpoint. Any Insights on this?

[LUS1N]

@nithinhuliyappa I have zero context to be able to answer that. Try asking on stackoverflow and read this before you do https://stackoverflow.com/help/how-to-ask

[chris-denglere]

@chamathsilva Thanks for your reply. However the example you gave is for client-side authorization. The secret tokens are transmitted over the network and stored on the client. This would be vetoed by our security group. I want to do serverside authentication - where the identity provider redirects the single use 'authorization_code' back to a lambda function. The lambda function exchanges the authorization code for the JWT containing the secret Oauth2 tokens. The secret tokens never go to the browser. The lambda function then creates http only session cookies. Is there any guidance on how to get such a scheme working?

Is anyone at AWS able to give an update on this? I'm currently trying to accomplish the same thing.