search

capless / warrant

Python library for using AWS Cognito. With support for SRP.
Apache License 2.0
468 stars 192 forks source link

How to check Cognito Web redirect token after successful login #77

Open vcajes opened 6 years ago

vcajes commented 6 years ago

I configured Cognito to use the custom website that AWS Cognito provides for signup/signin as specified here:

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-ui-customization.html

I am perfectly able to signup and login within the AWS Cognito page:

https:///login?response_type=code&client_id=&redirect_uri=

(in this scenario, Cognito provides EVERYTHING, the Web interface, registration forms, facebook login buttons, etc. It works great! But I can not validate the received token)

The problem is that, after a successful login, Cognito redirect to the redirect page that I set, and the redirect includes a "code" value as a GET parameter.

I can not find documentation of how to use that "code" parameter, but it surely needs to be validated by my Python backend in order to check if that code is a valid session for a given user.

Does warrant provides a way to validate this "code" token? If so, can you provide a sample Python code? Otherwise, is there a possibility to request this as a feature for warrant?

Thanks!!

jesus6402 commented 6 years ago

+1

ghost commented 6 years ago

Here is a link that might help:

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-userpools-server-contract-reference.html

It looks like the "code" value you receive needs to then be passed to the following endpoint:

https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html

Sample request:

POST https://mydomain.auth.us-east-1.amazoncognito.com/oauth2/token&
Content-Type='application/x-www-form-urlencoded'&
Authorization=Basic aSdxd892iujendek328uedj

grant_type=authorization_code&
client_id=djc98u3jiedmi283eu928&
code=AUTHORIZATION_CODE&
redirect_uri=com.myclientapp://myclient/redirect

Sample response:

HTTP/1.1 200 OK
Content-Type: application/json

{ 
 "access_token":"eyJz9sdfsdfsdfsd", 
 "refresh_token":"dn43ud8uj32nk2je", 
 "id_token":"dmcxd329ujdmkemkd349r",
 "token_type":"Bearer", 
 "expires_in":3600
}

The id_token, refresh_token and access_token can then be used with the .check_token() method. If this method returns False the access_token is valid. If not it will use the refresh_token and return a new access_token that can be accessed using u.access_token after the .check_token() method call.

u = Cognito('your-user-pool-id','your-client-id',
    id_token='id-token',refresh_token='refresh-token',
    access_token='access-token')

u.check_token()

Hope this helps!

TechnoMaster commented 2 years ago

I know this is an old post, but for anyone else looking for solutions to this, you can just change the https:///login?response_type=code&client_id=&redirect_uri= url.

Change response_type from code to token to get the login tokens