I am applying cognito into django and try to write a registered user api I used warrant library and are faulty.
boto3.setup_default_session(region_name='ap-southeast-2')
user_cognito = Cognito('your-user-pool-id','your-client-id')
user_cognito.register(user['username'], user['password'])
print(user_cognito)
my error is:
NotAuthorizedException at /api/register_user
An error occurred (NotAuthorizedException) when calling the SignUp operation: Unable to verify secret hash for client 'your-client-id'
please help me
You need to create an app without client secret.
It seems that currently, AWS Cognito doesn't handle client secret as it should. In your user pool try to create a new app without generating a client secret. Then use that app to signup a new user or to confirm registration. It worked for me.
Related
I am using AWS SDK (Java) for user creation in Cognito via Admin create/signup API documented here
The docs say that the method throws AliasExistException if a user creation is attempted using an email that already exists with another user.
To my surprise, the exception is thrown but at the same time, the user is created in Cognito as well and the new user overrides the email-verified flag for the existing user.
This cannot be the intended behavior. What is the purpose of an exception if the user is anyways created? How can we stop the creation of such users? Am I missing anything?
P.S: I am sending ForceAliasCreation as False
I am creating a flutter android app which uses google sign in. Once logged in, I recieve accesstoken and idtoken. I want to use this token to authenticate my backend which uses django social auth and
Login and return the authoken, if the user has already signed up, or
Register the user , login and return the user id and authtoken.
Is this possible ? If so please suggest any documents online or please explain how should I approach this.
Over the years of doing this again and again, I found the solution below works well for me. It creates clear understanding of who is doing what.
Basically, you need:
Django Rest framework-backed token authentication for normal API requests. Mostly your app works on this. Link: https://www.django-rest-framework.org/api-guide/authentication/#tokenauthentication
Google or Facebook or any other login to issue an auth token in 1. Thus effectively FB/ Google shortcuts the process of typing in username and password.
This is achieved via the flow below:
New user comes in and signs in via FB/ Google
You get Fb/Google token and send it to your backend
You verify the validity of the token. Re-obtain user name and email from G/FB from the backend. Use these details to create a user account in your backend. DO NOT USE email provided from front-end for account creation (assuming email is your primary unique user identifier)
NOTE: Don't forget to check if account already exists. If it does, this is a returning user/ login and not a new user. In this case, validate and return valid Django Rest Token
Once 3 is complete, issue a Django REST framework Token in response to the request made in 3.
After 4, you have a token in your app. Use this token for normal requests.
Happy coding! Happy to answer follow-up questions.
it is possible,first you have to create your api using django Rest Framework,the link below can help you to create your backend and set a token for every user:
https://dev.to/amartyadev/flutter-app-authentication-with-django-backend-1-21cp
then you have to add social authentication to your backend,you can write it yourself or using link below to use library :
https://github.com/RealmTeam/django-rest-framework-social-oauth2
after this approach you have to create your flutter app,the below link is a useful resource to connect your backend and your flutter app :
https://www.asapdevelopers.com/flutter-login-app-with-python-backend/
I'm looking at AWS Cognito documentaion here
Authentication with a User Pool
Actually I looked at many links in the documentation without finding clear information about this.
In AWS Cognito, I successfully created user pool, app client and integrated signup and login in Android and iOS using the platform provided SDK (amplify). But I want to do that directly from REST client, for testing purposes to generate user tokens. I want to submit the required credentials, username and password and get the user token as I do from the SDK.
I also tried the answer here but it gives an error
{
"__type": "NotAuthorizedException",
"message": "Unable to verify secret hash for client 1034me0p4rkfm17oidu7mkunu5"
}
Is this is something possible and how?
I just managed to get it done. There is a setting while you create an application client in Cognito console Enable Client Secret
To get that functionality to work, You need to create another App client with Enable Client Secret disabled. Then use the example mentioned in this answer
There is a setting I want to change via Python SDK reguarding AWS Cognito. I can change the setting in the AWS Web Console via "Cognito -> User Pools -> App Client Settings -> Cognito User Pool" (See image)
Here is my code
client = boto3.client('cognito-idp')
client.update_user_pool_client(
UserPoolId=USER_POOL_ID,
ClientId=user_pool_client_id,
SupportedIdentityProviders=[
'CognitoUserPool'
]
)
The error I am receiving is
An error occurred (InvalidParameterException) when calling the
UpdateUserPoolClient operation: The provider CognitoUserPool
does not exist for User Pool xxxxxx
It is unclear what string values I should pass for SupportedIdentityProviders. The only hint I have seen is from https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-idp-settings.html
--supported-identity-providers '["MySAMLIdP", "LoginWithAmazon"]'
I am not even 100% sure if the SupportedIdentityProviders relates to the setting I am trying to change, but can't find any clarification in the docs.
The correct value to pass is COGNITO
client.update_user_pool_client(
UserPoolId=USER_POOL_ID,
ClientId=user_pool_client_id,
SupportedIdentityProviders=[
'COGNITO'
]
)
I only discovered this by reviewing source code of someone else CloudFormation Custom resource https://github.com/rosberglinhares/CloudFormationCognitoCustomResources/blob/master/SampleInfrastructure.template.yaml#L105
I can not find the correct soluion to this from offical AWS Docs/Boto3 docs. If anyone knows where the possible values for SupportedIdentityProviders are documented please comment.
For SAML/ OIDC, the array of provider names can be passed as SupportedIdentityProviders when update user pool client.
In order to update the existing SupportedIdentityProviders in user pool client, first fetch the existing SupportedIdentityProviders using describeUserPoolClient function.
Then you can push your provider name to exisiting SupportedIdentityProviders and update the user pool client with this value.
I am using Identity server 5.2.0 and api manager 2.0.0. I have implemented a method to use refresh token to get the new access token for a user if the token has expired. But after implementing this some of the users will be unauthorized. When the user tries to login, token and scopes will be returned correctly but when calling the an api with the token, the user is unauthorized. Deleting and adding the user with same username also does not solve the issue. Is there any setting that blocks a user that may cause this issue?
Are you sure, the application in APIM is subscribed to the API you're trying to invoke? If not, you need to do that.