I am not understanding something about Amazon Cognito. If JWT tokens are only good for an hour, then they need to refresh, but how should my app do this? How does this happen? Do you just request new tokens and it remembers the session you are in? Also, do you store the JWT tokens in the state? I'm not understanding this, if anyone can help out I would appreciate it. Thanks!
When asking for token, if the grant_type is authorization_code the token endpoint returns refresh_token
Sample:
HTTP/1.1 200 OK
Content-Type: application/json
{
"access_token":"eyJz9sdfsdfsdfsd",
"refresh_token":"dn43ud8uj32nk2je",
"id_token":"dmcxd329ujdmkemkd349r",
"token_type":"Bearer",
"expires_in":3600
}
Then you can exchange the refresh token at the token endpoint to get another token
POST https://mydomain.auth.us-east-1.amazoncognito.com/oauth2/token >
Content-Type='application/x-www-form-urlencoded'
Authorization=Basic aSdxd892iujendek328uedj
grant_type=refresh_token&
client_id=djc98u3jiedmi283eu928&
refresh_token=REFRESH_TOKEN
Additional documentation can be found here
Related
I need Cognito refresh token to exchange a refresh token for tokens from /oauth2/token endpoint: https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html
But I spent a lot of time and couldn't find how to get this refresh token...
Also I can't understand how to get "Authorization" header to make post request if in my app I have only Client_id, but not client_secret.
How can I get a Refresh Token from GCP?
I already got the Client ID and Client Secret from OAuth Client ID, but I can't find any Refresh Token from the credentials?
Google provides a lot of docs around different methods of authentication including refresh tokens but this document is probably most helpful.
Basically, once the user authorises you, in the response you get an authorization code which can be exchanged for an access token and refresh token by making a call to https://oauth2.googleapis.com/token like:
POST /token HTTP/1.1
Host: oauth2.googleapis.com
Content-Type: application/x-www-form-urlencoded
code=4/P7q7W91a-oMsCeLvIaQm6bTrgtp7&
client_id=your_client_id&
client_secret=your_client_secret&
redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob%3Aauto&
grant_type=authorization_code
Response:
{
"access_token": "1/fFAGRNJru1FTz70BzhT3Zg",
"expires_in": 3920,
"token_type": "Bearer",
"scope": "https://www.googleapis.com/auth/drive.metadata.readonly",
"refresh_token": "1//xEoDL4iW3cxlI7yDbSRFYNG01kVKM2C-259HOF2aQbI"
}
Oauth on GCP is covered in depth here.
I'm using Amazon Cognito for authorization of my app.
I'm using the authorization code flow. I can successfully get my token on /oauth2/authorize?...
But I can't seem to successfully get access_token, id_token and refresh_token using the POST to /oauth2/token with the Content type header: application/x-www-form-urlencoded
and body:
{"key":"grant_type","value":"authorization_code"},
{"key":"client_id","value":"xyz"},
{"key":"redirect_uri","value":"redirect-url.com"},
{"key":"code","value":"code_from_previous_request"}
When I make this call I get the following error json:
{"error":"invalid_request"}
Client id is correct and client app has no secret.
Anyone has any idea what I'm doing wrong?
By taking a closer look a #MikePatrick's request I figured it out. I was sending a wrong parameter
redirect_url
instead of
redirect_uri
...
Note to self: Half of software bugs are caused by typos
I'm using the php-jwt package for my Restful API to authneticate users.
I am successfully authenticating Users and returning a token. However it seems that there is not a standard method to issue a refresh token. Although I understand the principle and the flow I'm not sure if there is a standard for the issuing of the refresh token?
If I unerstand correctly the flow is as follows:
App requests access
API checks for a valid User and issues a token which is to include a refresh token
refresh token is sent along with a request to renew, it is verified and if valid another token is issued?
But my question is how to issue the initial refesh token. Is this simply encoded in the token itself along with other data that I return such as username and email for example?
Thanks in advance. A.
I'm currently doing a bit of research of my own on JWTs. I believe you can give the client 2 tokens after auth: an access token and a refresh token. The refresh token can also be a JWT itself. What goes in it is up to you but I think what's important is that it is a valid/not expired token when used. If you can successfully validate it, then you can issue a new access token.
I am attempting to refresh a LinkedIn user's access token given their current access token. This is the documentation that I am following: http://developer.linkedin.com/blog/tips-and-tricks-refreshing-access-token
The steps I follow:
Make a POST request to the requestToken endpoint (https://api.linkedin.com/uas/oauth/requestToken)
Make a POST request to the authenticate endpoint passing the request token as a parameter.
After this the response should be a newly refresh access token but I am receiving a 302 response instead.