Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Cognito Hosted UI Not Always Returning "event_id" with ID + Access Token

0

I'm using the Cognito Hosted UI, and I want to associate the session for a user based on when they logged in with username/password. Cognito passes the "event_id" in the token for this. My initial login via /login looks like this:

{
  "at_hash": "74Q6DhYCQucWC88nUFDpkQ",
  "sub": "xxx-0ddc-4891-8a5b-xxx",
  "email_verified": true,
  "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxx",
  "cognito:username": "xxx-0ddc-4891-8a5b-xxx",
  "aud": "xxx",
  "event_id": "5a7530d2-7468-4a37-8c41-01b76ff84189",
  "token_use": "id",
  "auth_time": 1645027556,
  "exp": 1645031156,
  "iat": 1645027556,
  "email": "xxx@xxx.xxx"
}

Great, I have the "event_id", I can save that and associate subsequent refreshes with the initial login.

I then refresh the token using the Cognito API at https://cognito-idp.us-east-1.amazonaws.com with "AWSCognitoIdentityProviderService.InitiateAuth" and "AuthFlow":"REFRESH_TOKEN_AUTH". I then get this:

{
  "at_hash": "-f9VejQpIylT9HckhBiwUw",
  "sub": "xxx-0ddc-4891-8a5b-xxx",
  "email_verified": true,
  "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxx",
  "cognito:username": "xxx-0ddc-4891-8a5b-xxx",
  "aud": "xxx",
  "event_id": "5a7530d2-7468-4a37-8c41-01b76ff84189",
  "token_use": "id",
  "auth_time": 1645027556,
  "exp": 1645031218,
  "iat": 1645027618,
  "email": "xxx@xxx.xxx"
}

Looks great, still have the original "event_id" with a new refresh. I want to simplify my application and just route the user to the /oauth2/authorize page on the Hosted UI to handle refreshes for me. This way, I just have one place in my app to manage all authentication (either initial or refreshes). However, when I redirect the user to the Hosted UI authorize endpoint, I get a new token but loose the "event_id":

{
  "at_hash": "FvGQF9t6TfPkJ1unSWdRWg",
  "sub": "xxx-0ddc-4891-8a5b-xxx",
  "aud": "xxx",
  "email_verified": true,
  "token_use": "id",
  "auth_time": 1645027749,
  "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxx",
  "cognito:username": "xxx-0ddc-4891-8a5b-xxx",
  "exp": 1645031349,
  "iat": 1645027749,
  "email": "xxx@xxx.xxx"
}

I assume something is wrong here. I can do a refresh through the API and get the original authentication "event_id" again, but it will never come back from the Hosted UI again, unless I login again (and thus get a new "event_id").

This situation is true for both IdTokens and AccessTokens.

Thanks!

Themen
Sicherheit, Identität & Konformität
Tags
Amazon Cognito-Benutzergruppen
Sprache
English
AWS-User-7365078
gefragt vor 2 Jahren92 Aufrufe
Keine Antworten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt