search

pmill / aws-cognito

A PHP library for AWS Cognito user pools
MIT License
74 stars 62 forks source link

refreshAuthentication.php example gives "Unable to verify secret hash for client" #42

Open BenKennish opened 4 years ago

BenKennish commented 4 years ago

I can get all the other example scripts working as expected but refreshAuthentication.php doesn't seem to work for me....

>php login.php
array(5) {
  'AccessToken' =>
  string(1002) "eyJraWQiO<snip>nG_z1g"
  'ExpiresIn' =>
  int(3600)
  'TokenType' =>
  string(6) "Bearer"
  'RefreshToken' =>
  string(1785) "eyJjdHki<snip>K70c4aQ"
  'IdToken' =>
  string(958) "eyJraWQiOiJOd1B<snip>OUAKuyODEPuw"
}

I then edit refreshAuthentication.php and put in the same value for $username as I used in login.php and with $refreshToken set to the RefreshToken I received above (starting eyJjd and ending 4aQ) and I get...

>php refreshAuthentication.php

Fatal error: Uncaught exception 'Aws\CognitoIdentityProvider\Exception\CognitoIdentityProviderException' with message 'Error executing "AdminInitiateAuth" on "https://cognito-i
dp.eu-west-2.amazonaws.com"; AWS HTTP error: Client error: `POST https://cognito-idp.eu-west-2.amazonaws.com` resulted in a `400 Bad Request` response:
{"__type":"NotAuthorizedException","message":"Unable to verify secret hash for client 2od40<snip>rf9crnnej"}
 NotAuthorizedException (client): Unable to verify secret hash for client 2od40<snip>rf9crnnej - {"__type":"NotAuthorizedException","message":"Unable to verify secret has
h for client 2od40<snip>rf9crnnej"}'

GuzzleHttp\Exception\ClientException: Client error: `POST https://cognito-idp.eu-west-2.amazonaws.com` resulted in a `400 Bad Request` response:
{"__type":"NotAuthorizedException","message":"Unable to verify secret hash for client 2od40<snip>rf9crnnej"}
 in C:\Users\Ben Kennish\Documents\aws-cognito\vendor\aws\aws-sdk-php\src\WrappedHttpHandler.php on line 195

Aws\CognitoIdentityProvider\Exception\CognitoIdentityProviderException: Error executing "AdminInitiateAuth" on "https://cognito-idp.eu-west-2.amazonaws.com"; AWS HTTP error: Cl
ient error: `POST https://cognito-idp.eu-west-2.amazonaws.com` resulted in a `400 Bad Request` response:
{"__type":"NotAuthorizedException","message":"Unable to verify secret hash for client 2od40<snip>rf9crnnej"}
 NotAuthorizedException (client): Unable to verify secret hash for client 2od40<snip>rf9crnnej - {"__type":"NotAuthorizedException","message":"Unable to verify secret has
h for client 2od40<snip>rf9crnnej"} in C:\Users\Ben Kennish\Documents\aws-cognito\vendor\aws\aws-sdk-php\src\WrappedHttpHandler.php on line 195

Call Stack:
    0.0005     398744   1. {main}() C:\Users\Ben Kennish\Documents\aws-cognito\examples\refreshAuthentication.php:0
    0.0808    6515504   2. pmill\AwsCognito\CognitoClient->refreshAuthentication() C:\Users\Ben Kennish\Documents\aws-cognito\examples\refreshAuthentication.php:8

This is the same exception message that login.php generates if the 'app_client_secret' in config.php is incorrect but it IS currently correct as login.php is working as expected.

Anyone know what I'm doing wrong? Cheers, Ben

BenKennish commented 4 years ago

Oh btw I obtained aws-cognito using Composer and it retrieved version 0.2.11 which seems to be the latest version

ivy-liu09 commented 4 years ago

Hi @BenKennish

$username must be the value of Username returned by the getUser method, not an email.

Ivy

BenKennish commented 4 years ago

Thanks @ivy-liu09. Could this be considered a bug in aws-cognito? All the other example scripts accept the email 'username' and also the error message "Unable to verify secret hash for client" seems inappropriate.

hygison commented 2 years ago

I am getting a fatal error when the password is wrong:

Fatal error: Uncaught exception 'Aws\CognitoIdentityProvider\Exception\CognitoIdentityProviderException' with message 'Error executing "AdminInitiateAuth" on "https://cognito-idp.us-east-1.amazonaws.com"; AWS HTTP error: Client error: `POST https://cognito-idp.us-east-1.amazonaws.com` resulted in a `400 Bad Request` response: {"__type":"NotAuthorizedException","message":"Incorrect username or password."} NotAuthorizedException (client): Incorrect username or password. - {"__type":"NotAuthorizedException","message":"Incorrect username or password."}' GuzzleHttp\Exception\ClientException: Client error: `POST https://cognito-idp.us-east-1.amazonaws.com` resulted in a `400 Bad Request` response: {"__type":"NotAuthorizedException","message":"Incorrect username or password."} in /Applications/MAMP/htdocs/app/vendor/guzzlehttp/guzzle/src/Exception/RequestException.php:113 Stack trace: #0

Shouldn't I get an object saying that was bad request instead of a fatal error? In that way it would be possible to return to the user such information.