aws-sdk-net-extensions-cognito
aws-sdk-net-extensions-cognito copied to clipboard
aws
Not able to get any OAuth or custom Scopes in Access Token
Hello:
I am writing an application using Vue as the frontend, and asp.net core web api as the backend.
I am using "Authorization code grant" only for now, will add PKCE later.
Yet the only scope I am able get from the returned access token is "aws.cognito.signin.user.admin"
Below is content is the Access Content Payload, replaced some info with ****
{
"sub": "*************************",
"device_key": "*************************",
"cognito:groups": [
"AIS_Test_Group"
],
"iss": "https://cognito-idp.ap-southeast-1.amazonaws.com/*****************",
"client_id": "*************************",
"event_id": "bcc3b362-ed43-4551-a562-6671f2ec3f2f",
"token_use": "access",
"scope": "aws.cognito.signin.user.admin",
"auth_time": 1564057907,
"exp": 1564061507,
"iat": 1564057907,
"jti": "e68c081c-533e-4f57-88cd-263b06d752f7",
"username": "hans"
}
Allowed OAuth Scopes is checked for "phone", "email", "openid", "aws.cognito.signin.user.admin" and "profile" in App client settings for uesr pool.
For backend Web API we are using Authenticating with Secure Remote Protocol (SRP)
[HttpPost]
[Route("SignInSPR")]
public async Task<ActionResult<string>> SignInSPR(User user)
{
var provider = new AmazonCognitoIdentityProviderClient(new AnonymousAWSCredentials(),_region);
var userPool = new CognitoUserPool(_AWS_UserPoolId, _appClientId, provider);
var cognitoUser = new CognitoUser(user.Username, _appClientId, userPool, provider);
AuthFlowResponse authResponse=null;
authResponse = await cognitoUser.StartWithSrpAuthAsync(new InitiateSrpAuthRequest()
{
Password = user.Password
}).ConfigureAwait(false);
return Ok(authResponse);
}
Yet, we are not able to get any OAuth scopes such as "openid" and "profile", or any "custom scopes"
Please advice on how can we get "OAuth scope" and "custom scopes" Amazon Cognito Authentication Extension Library or do I need to use ASP.NET Core Identity Provider?
Thank
Hans
@klaytaybai been this issue marked as "feature-request", does it mean I cannot use aws-sdk-net-extensions-cognito to get OAuth or custom scopes right now?
I have the same issue and have opened a case # 6756083471
when using third party idp like google or facebook, it returns all scopes but for cognito idp it does not:
GOOGLE IDP access token= { "sub": "383dds42-ccd7-4ad1-86d3-fdb83bsee4e9", "cognito:groups": [ "us-east-2_peGdsfhTXuI_Google" ], "token_use": "access", "scope": "aws.cognito.signin.user.admin phone openid profile api.kabuter.io/write api.kabuter.io/read email", "auth_time": 1579371616, "iss": "https://cognito-idp.us-east-2.amazonaws.com/us-east-2_pdGsdfTXuI", "exp": 1579375217, "iat": 1579371617, "version": 2, "jti": "2f83dsd2-0914-df62-8938-f8e0f3bcd142", "client_id": "1ld8tdsddqlkttlaqqo6", "username": "Google_100162641872007655599" }
COGNITO IDP access token= { "sub": "e2sd2cc3a-57e8-405c-9400-2dsd6dc6d774a", "event_id": "9a9930d1-be36-45a2-bacf-134aa3a28185", "token_use": "access", "scope": "aws.cognito.signin.user.admin", "auth_time": 1579364417, "iss": "https://cognito-idp.us-east-2.amazonaws.com/us-east-2_peqweTXsdfI", "exp": 1579368018, "iat": 1579364418, "jti": "b4b7ab15-edd5-45e8-add2-c83sdfsdf7d679e12", "client_id": "1ld8td49v1sdfs9gloqqlkdfdsttlaqqdo6", "username": "e222cdc3a-57e8-405c-9400-2ddsd6dc6d774a" }
They must be a workaround to this??? Someone knows???
Will be much appreciated.
Hi. Is there any update on this issue? Would be great to access the custom scopes.
Hi,
Any update on the above issue? We are trying to add custom scopes in AWS Cognito through resource servers but after logging in, the access token doesn't have any custom scopes.
Thanks.
Hi
Having the same issue of not being able to retrieve the custom scopes using auth code grant.
Configured in the app client settings
But the access token does not have them:
If this is not how it should work, then what is a good way of using custom scopes with auth code grant?
To whoever gets into this issue, if the following descriptions match your situation,
- You do not want to use the hosted UI
- Yourself or your colleagues choose to use the client/server pattern, i.e., call AWS Cognito SDK on your server-side to generate token, then pass it to your web or native app.
Then, the answer is simply NO, YOU CANT.
Actually, many similar issues have been there for about three years. Of course, this is one of them.
- https://github.com/aws-amplify/aws-sdk-android/issues/684
- https://github.com/aws-amplify/amplify-js/issues/3732
- https://github.com/aws-amplify/amplify-js/issues/1906
- https://github.com/aws-amplify/amplify-js/issues/1884
- https://github.com/aws-amplify/aws-sdk-ios/issues/958
- https://github.com/aws-amplify/aws-sdk-android/issues/477
Most of them are simply closed and locked because there is no recent activity.
Needs review with the team. There were lot of open issues in the past which were closed due to inactivity.
Needs review with the team. There were lot of open issues in the past which were closed due to inactivity.
Thanks, this is definitely still a problem that I am encountering.
I'm not dismissing the issue with custom scopes but this library has no control over what is return in the access token. This is a service issue that has to be addressed at the service not the client library. The AWS .NET SDK team which owns this library can't make that service level change.
⚠️COMMENT VISIBILITY WARNING⚠️
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Seems to have been fixed on Cognito User Pools: https://aws.amazon.com/about-aws/whats-new/2023/12/amazon-cognito-user-pools-customize-access-tokens/
