I'm using the Cognito Hosted UI, and I want to associate the session for a user based on when they logged in with username/password. Cognito passes the "event_id" in the token for this. My initial login via /login
looks like this:
{
"at_hash": "74Q6DhYCQucWC88nUFDpkQ",
"sub": "xxx-0ddc-4891-8a5b-xxx",
"email_verified": true,
"iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxx",
"cognito:username": "xxx-0ddc-4891-8a5b-xxx",
"aud": "xxx",
"event_id": "5a7530d2-7468-4a37-8c41-01b76ff84189",
"token_use": "id",
"auth_time": 1645027556,
"exp": 1645031156,
"iat": 1645027556,
"email": "xxx@xxx.xxx"
}
Great, I have the "event_id", I can save that and associate subsequent refreshes with the initial login.
I then refresh the token using the Cognito API at https://cognito-idp.us-east-1.amazonaws.com
with "AWSCognitoIdentityProviderService.InitiateAuth" and "AuthFlow":"REFRESH_TOKEN_AUTH". I then get this:
{
"at_hash": "-f9VejQpIylT9HckhBiwUw",
"sub": "xxx-0ddc-4891-8a5b-xxx",
"email_verified": true,
"iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxx",
"cognito:username": "xxx-0ddc-4891-8a5b-xxx",
"aud": "xxx",
"event_id": "5a7530d2-7468-4a37-8c41-01b76ff84189",
"token_use": "id",
"auth_time": 1645027556,
"exp": 1645031218,
"iat": 1645027618,
"email": "xxx@xxx.xxx"
}
Looks great, still have the original "event_id" with a new refresh. I want to simplify my application and just route the user to the /oauth2/authorize
page on the Hosted UI to handle refreshes for me. This way, I just have one place in my app to manage all authentication (either initial or refreshes). However, when I redirect the user to the Hosted UI authorize endpoint, I get a new token but loose the "event_id":
{
"at_hash": "FvGQF9t6TfPkJ1unSWdRWg",
"sub": "xxx-0ddc-4891-8a5b-xxx",
"aud": "xxx",
"email_verified": true,
"token_use": "id",
"auth_time": 1645027749,
"iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxx",
"cognito:username": "xxx-0ddc-4891-8a5b-xxx",
"exp": 1645031349,
"iat": 1645027749,
"email": "xxx@xxx.xxx"
}
I assume something is wrong here. I can do a refresh through the API and get the original authentication "event_id" again, but it will never come back from the Hosted UI again, unless I login again (and thus get a new "event_id").
This situation is true for both IdTokens and AccessTokens.
Thanks!