search

aws / aws-sdk-net-extensions-cognito

An extension library to assist in the Amazon Cognito User Pools authentication process
Apache License 2.0
102 stars 49 forks source link

Not able to get any OAuth or custom Scopes in Access Token #42

Closed hanslai closed 1 year ago

hanslai commented 4 years ago

Hello:

I am writing an application using Vue as the frontend, and asp.net core web api as the backend.
I am using "Authorization code grant" only for now, will add PKCE later.

Yet the only scope I am able get from the returned access token is "aws.cognito.signin.user.admin"

Below is content is the Access Content Payload, replaced some info with ****

{
  "sub": "*************************",
  "device_key": "*************************",
  "cognito:groups": [
    "AIS_Test_Group"
  ],
  "iss": "https://cognito-idp.ap-southeast-1.amazonaws.com/*****************",
  "client_id": "*************************",
  "event_id": "bcc3b362-ed43-4551-a562-6671f2ec3f2f",
  "token_use": "access",
  "scope": "aws.cognito.signin.user.admin",
  "auth_time": 1564057907,
  "exp": 1564061507,
  "iat": 1564057907,
  "jti": "e68c081c-533e-4f57-88cd-263b06d752f7",
  "username": "hans"
}

Allowed OAuth Scopes is checked for "phone", "email", "openid", "aws.cognito.signin.user.admin" and "profile" in App client settings for uesr pool.

For backend Web API we are using Authenticating with Secure Remote Protocol (SRP)

[HttpPost]
        [Route("SignInSPR")]
        public async Task<ActionResult<string>> SignInSPR(User user)
        {
            var provider = new AmazonCognitoIdentityProviderClient(new AnonymousAWSCredentials(),_region);
            var userPool = new CognitoUserPool(_AWS_UserPoolId, _appClientId, provider);
            var cognitoUser = new CognitoUser(user.Username, _appClientId, userPool, provider);

            AuthFlowResponse authResponse=null;
            authResponse = await cognitoUser.StartWithSrpAuthAsync(new InitiateSrpAuthRequest()
            {
                Password = user.Password
            }).ConfigureAwait(false);

            return Ok(authResponse);
        }

Yet, we are not able to get any OAuth scopes such as "openid" and "profile", or any "custom scopes"

Please advice on how can we get "OAuth scope" and "custom scopes" Amazon Cognito Authentication Extension Library or do I need to use ASP.NET Core Identity Provider?

Thank

Hans

hanslai commented 4 years ago

@klaytaybai been this issue marked as "feature-request", does it mean I cannot use aws-sdk-net-extensions-cognito to get OAuth or custom scopes right now?

sandeepsdixit commented 4 years ago

I have the same issue and have opened a case # 6756083471

when using third party idp like google or facebook, it returns all scopes but for cognito idp it does not:

GOOGLE IDP access token= { "sub": "383dds42-ccd7-4ad1-86d3-fdb83bsee4e9", "cognito:groups": [ "us-east-2_peGdsfhTXuI_Google" ], "token_use": "access", "scope": "aws.cognito.signin.user.admin phone openid profile api.kabuter.io/write api.kabuter.io/read email", "auth_time": 1579371616, "iss": "https://cognito-idp.us-east-2.amazonaws.com/us-east-2_pdGsdfTXuI", "exp": 1579375217, "iat": 1579371617, "version": 2, "jti": "2f83dsd2-0914-df62-8938-f8e0f3bcd142", "client_id": "1ld8tdsddqlkttlaqqo6", "username": "Google_100162641872007655599" }

COGNITO IDP access token= { "sub": "e2sd2cc3a-57e8-405c-9400-2dsd6dc6d774a", "event_id": "9a9930d1-be36-45a2-bacf-134aa3a28185", "token_use": "access", "scope": "aws.cognito.signin.user.admin", "auth_time": 1579364417, "iss": "https://cognito-idp.us-east-2.amazonaws.com/us-east-2_peqweTXsdfI", "exp": 1579368018, "iat": 1579364418, "jti": "b4b7ab15-edd5-45e8-add2-c83sdfsdf7d679e12", "client_id": "1ld8td49v1sdfs9gloqqlkdfdsttlaqqdo6", "username": "e222cdc3a-57e8-405c-9400-2ddsd6dc6d774a" }

sandeepsdixit commented 4 years ago

Other values are obfuscated intentionally

dienomb commented 4 years ago

They must be a workaround to this??? Someone knows???

Will be much appreciated.

vmary2014 commented 2 years ago

Hi. Is there any update on this issue? Would be great to access the custom scopes.

shubhrit-D commented 2 years ago

Hi,

Any update on the above issue? We are trying to add custom scopes in AWS Cognito through resource servers but after logging in, the access token doesn't have any custom scopes.

Thanks.

sonicsandy commented 2 years ago

Hi

Having the same issue of not being able to retrieve the custom scopes using auth code grant.

Configured in the app client settings image

But the access token does not have them: image

If this is not how it should work, then what is a good way of using custom scopes with auth code grant?

equt commented 2 years ago

To whoever gets into this issue, if the following descriptions match your situation,

  1. You do not want to use the hosted UI
  2. Yourself or your colleagues choose to use the client/server pattern, i.e., call AWS Cognito SDK on your server-side to generate token, then pass it to your web or native app.

Then, the answer is simply NO, YOU CANT.

Actually, many similar issues have been there for about three years. Of course, this is one of them.

Most of them are simply closed and locked because there is no recent activity.

michaelakin commented 1 year ago

This is still an issue. Any update?

ashishdhingra commented 1 year ago

Needs review with the team. There were lot of open issues in the past which were closed due to inactivity.

michaelakin commented 1 year ago

Needs review with the team. There were lot of open issues in the past which were closed due to inactivity.

Thanks, this is definitely still a problem that I am encountering.

glomtadzeWarrCloud commented 1 year ago

Same issue, it's a huge flaw of Cognito.

normj commented 1 year ago

I'm not dismissing the issue with custom scopes but this library has no control over what is return in the access token. This is a service issue that has to be addressed at the service not the client library. The AWS .NET SDK team which owns this library can't make that service level change.

github-actions[bot] commented 1 year ago

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

rupertlssmith commented 6 months ago

Seems to have been fixed on Cognito User Pools: https://aws.amazon.com/about-aws/whats-new/2023/12/amazon-cognito-user-pools-customize-access-tokens/