Hi guys, hope your are doing well,
I've a doubt, I've been working in a API with Node (using sdk v3 and cognito). Here's my code:
app.get('/api/refresh-token', async (req, res) => {
const { refreshToken } = req.cookies;
if (!refreshToken) {
return res
.status(401)
.json({ message: 'Unauthorized' });
}
console.log("This is the refreshToken in the cooki: ", refreshToken);
const userPoolId = process.env.USER_POOL_ID;
const clientId = process.env.CLIENT_ID;
const initiateAuthParams = {
AuthFlow: 'REFRESH_TOKEN_AUTH',
ClientId: clientId,
AuthParameters: {
REFRESH_TOKEN: refreshToken,
},
};
try {
const response = await client.send(new InitiateAuthCommand(initiateAuthParams ));
console.log("This is the acces token:", response.AuthenticationResult.AccessToken);
return res.status(200).json({ message: Refresh token successfully' });
} catch (err) {
return res
.status(400)
.json({ message: err.message});
}
});
And here is the problem, I want to renew the tokens from the refresh token saved in the cookie (the cookie contains a refresh token obtained from a previous method that uses the InitateAuthCommand and it's valid. But when I'm using the method above an error accours (status code = 400 just like the catch). It seems as the refresh token is a string obtained correctly but not valid. I say that because if we check this refresh token with Postman and send it to "cognito_domain/oauth2/token" with the correct params (grant_type=refresh_token, client_id=client_id_user_pool, refresh_token=our_refresh_token, all of these in the Body as "x-www-form-urlencoded"), then Postman returns status_code=400 and the message "invalid_grant". The post request in Postman works well, because if I launch the hostedUI from my Cognito User Pool and using the Authorization Code Grant Flow configured, then I obtain the code and again send the code with the apropiate configuration in Postman, and returns the tokens and also the refresh token. At this point if I use this refresh token to send with the previous configuration in Postman (with the grant_type=refresh_token, etc.) then Postman returns the valid id and access token.
Well and that's it, now I thought if maybe the refresh token is only valid when we use the hosted UI and the Authorization Code Grant Flow ?. Thanks in advance !
Have an awesome day ahead.