Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can't find refresh token when Cognito redirects back to my URL

I'm testing with AWS's Cognito. At this point, I can get back my IdToken, AccessToken, and RefreshToken like this:

$ aws cognito-idp admin-initiate-auth --user-pool-id us-east-1_XXXXXXXX --client-id XXXXXXXXXXXXXXXXXXXXXXX --auth-flow ADMIN_NO_SRP_AUTH --auth-parameters USERNAME=XXXXXXXXXXXXX,PASSWORD=XXXXXXXXXXXXX --region us-east-1

Then I tried the default web page (provided by Cognito) at a URL like this:

https://test-cognito.auth.us-east-1.amazoncognito.com/login?response_type=token&client_id=XXXXXXXXXXXXXXXXXXXXXX&redirect_uri=https://example.com

This URL will take me to a page where I have to authenticate and once the process is done it will take me back to my redirect_url with previously mentioned IDs appended:

https://example.com#id_token=XXXXX.XXXXXX.XXXXXX&access_token=XXXXXX.XXXXXXX.XXXXXXX&expires_in=3600&token_type=Bearer

But there's no sign of refresh_token! How can I get my refresh_token in this scenario?

like image 972
Mehran Avatar asked Apr 24 '18 12:04

Mehran


People also ask

How do I recover my refresh token?

Get a refresh token. To get a refresh token, you send a request to your Okta Authorization Server. The only flows that support refresh tokens are the authorization code flow and the resource owner password flow.

How do I refresh my Cognito access token?

Initiate new refresh tokens (API)Pass REFRESH_TOKEN_AUTH for the AuthFlow parameter. The authorization parameter, AuthParameters , is a key-value map where the key is "REFRESH_TOKEN" and the value is the actual refresh token. Amazon Cognito returns new ID and access tokens after your API request passes all challenges.

Where are refresh tokens stored?

If your application uses refresh token rotation, it can now store it in local storage or browser memory. You can use a service like Auth0 that supports token rotation.


1 Answers

I don't think that is possible at present. AWS clearly states that refresh token is only available if the flow type is Authorization Code Grant.

What you are trying is Implicit Grant. The responseType is set to token in your case. For Authorization Code Grant, set the grant type to code but that will also need you to store the client secret in the app.

Source- https://developer.amazon.com/docs/login-with-amazon/refresh-token.html.

For more info on grant types - https://alexbilbie.com/guide-to-oauth-2-grants/

like image 166
Rajesh Panda Avatar answered Sep 21 '22 07:09

Rajesh Panda