By using AWS re:Post, you agree to the Terms of Use
/Amazon Cognito User Pools/

Questions tagged with Amazon Cognito User Pools

Sort by most recent
  • 1
  • 90 / page

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Elasticsearch + Kibana + Cognito session error 403

Hi folks, we have created an Elasticsearch (version 7.10) cluster with Cognito enabled fined grained authentication for Kibana. We have replicated (via terraform IaC) a configuration already present on another AWS account that is working fine. In this new cluster we have Kibana session issues, for example when we click "Log out" in Kibana we got an 403 error (I'll post it at the end of my message as LOGOUT_ERROR). Another error happens when the Cognito session token expires and we got another 403 error (another small snippet at the end of my message as LOGIN_ERROR). We cannot see the Cognito login page if we don't remove the cookie in the browser (we tested different browsers). Everything else is working fine: we are able to use Elasticsearch and Kibana with no other issues. Since the error is originating from "AWSSecurityTokenService" (an interface in the AWS Java SDK) we smell this as a possible bug that we're not able to address on our side. The fact that the Elasticsearch cluster is in eu-south-1 region and Cognito is in eu-west-1 could be an issue? Can you please help us by pointing us to any resource that may help resolve this issue? Regards Marco LOGOUT_ERROR ``` <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="description" content="403 Forbidden"> <title>Kibana Authentication Error</title> <link rel="stylesheet" href="//maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css "> <link rel="stylesheet" href="//maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css "> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js "></script> <script src="//maxcdn.bootstrapcdn.com/bootstrap/3.3.4/js/bootstrap.min.js "></script> <style> body { padding-top: 20px; } .jumbotron { font-size: 21px; font-weight: 200; line-height: 2.1428571435; color: inherit; padding: 10px 0px; } .body-content { padding-left: 15px; padding-right: 15px; } .jumbotron { text-align: center; background-color: transparent; } .jumbotron .btn { font-size: 21px; padding: 14px 24px; } .blue {color:#00bfff;} .red {color:#d9534f;} </style> </head> <div class="container"> <div class="jumbotron"> <h1><i class="fa fa-frown-o red"></i> Sorry!</h1> <p class="lead">Something went wrong during authentication between Kibana and Amazon Cognito.</p> <p><a href="https://kibana.linkemswarm.com/_plugin/kibana " class="btn btn-default btn-lg"><span class="blue">Log in to Kibana</span></a> </p> </div> </div> <div class="container"> <div class="body-content"> <div class="row"> <h2>What happened?</h2> <p>cognito:revoke_tokens:ErrorUser: x:x:x::xx:x is not authorized to perform: sts:AssumeRole on resource: x:x:x::xx:x (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: 432dbf6a-126f-43f4-be02-69c3657b3016; Proxy: null)</p> </div> <div class="row"> <h2>What should I do?</h2> <p>Try logging in again. If the problem persists, please review the <a href="https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/es-cognito-auth.html#es-cognito-auth-troubleshooting ">troubleshooting guide </a>for information on resolving common issues.</p> </div> </div> </div> </body> </html> ``` END LOGOUT_ERROR LOGIN_ERROR ``` ... <h2>What happened?</h2> <p>com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: User: x:x:x::xx:x is not authorized to perform: sts:AssumeRole on resource: x:x:x::xx:x (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: d3bbebd3-a5ba-4406-9d75-5b78cd1c92bc; Proxy: null)</p> ... ``` END LOGIN_ERROR
1
answers
0
votes
21
views
asked 2 months ago

Cognito Hosted UI Not Always Returning "event_id" with ID + Access Token

I'm using the Cognito Hosted UI, and I want to associate the session for a user based on when they logged in with username/password. Cognito passes the "event_id" in the token for this. My initial login via `/login` looks like this: ``` { "at_hash": "74Q6DhYCQucWC88nUFDpkQ", "sub": "xxx-0ddc-4891-8a5b-xxx", "email_verified": true, "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxx", "cognito:username": "xxx-0ddc-4891-8a5b-xxx", "aud": "xxx", "event_id": "5a7530d2-7468-4a37-8c41-01b76ff84189", "token_use": "id", "auth_time": 1645027556, "exp": 1645031156, "iat": 1645027556, "email": "xxx@xxx.xxx" } ``` Great, I have the "event_id", I can save that and associate subsequent refreshes with the initial login. I then refresh the token using the Cognito API at `https://cognito-idp.us-east-1.amazonaws.com` with "AWSCognitoIdentityProviderService.InitiateAuth" and "AuthFlow":"REFRESH_TOKEN_AUTH". I then get this: ``` { "at_hash": "-f9VejQpIylT9HckhBiwUw", "sub": "xxx-0ddc-4891-8a5b-xxx", "email_verified": true, "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxx", "cognito:username": "xxx-0ddc-4891-8a5b-xxx", "aud": "xxx", "event_id": "5a7530d2-7468-4a37-8c41-01b76ff84189", "token_use": "id", "auth_time": 1645027556, "exp": 1645031218, "iat": 1645027618, "email": "xxx@xxx.xxx" } ``` Looks great, still have the original "event_id" with a new refresh. I want to simplify my application and just route the user to the `/oauth2/authorize` page on the Hosted UI to handle refreshes for me. This way, I just have one place in my app to manage all authentication (either initial or refreshes). However, when I redirect the user to the Hosted UI authorize endpoint, I get a new token but loose the "event_id": ``` { "at_hash": "FvGQF9t6TfPkJ1unSWdRWg", "sub": "xxx-0ddc-4891-8a5b-xxx", "aud": "xxx", "email_verified": true, "token_use": "id", "auth_time": 1645027749, "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxx", "cognito:username": "xxx-0ddc-4891-8a5b-xxx", "exp": 1645031349, "iat": 1645027749, "email": "xxx@xxx.xxx" } ``` I assume something is wrong here. I can do a refresh through the API and get the original authentication "event_id" again, but it will never come back from the Hosted UI again, unless I login again (and thus get a new "event_id"). This situation is true for both IdTokens and AccessTokens. Thanks!
0
answers
0
votes
2
views
asked 3 months ago
  • 1
  • 90 / page