Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issues renewing auth_token #18

Open
gavihs opened this issue Sep 4, 2020 · 3 comments
Open

Issues renewing auth_token #18

gavihs opened this issue Sep 4, 2020 · 3 comments

Comments

@gavihs
Copy link

gavihs commented Sep 4, 2020
edited
Loading

I am trying to renew the auth token using renew_access_token

Traceback (most recent call last):
  File "testpycognito.py", line 80, in <module>
    u.renew_access_token( )
  File "/home/ubuntu/.local/lib/python3.8/site-packages/pycognito/__init__.py", line 617, in renew_access_token
    refresh_response = self.client.initiate_auth(
  File "/home/ubuntu/.local/lib/python3.8/site-packages/botocore/client.py", line 337, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/home/ubuntu/.local/lib/python3.8/site-packages/botocore/client.py", line 656, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.errorfactory.NotAuthorizedException: An error occurred (NotAuthorizedException) when calling the InitiateAuth operation: Unable to verify secret hash for client 3ol********************bd3

This is not an access problem
I manually performed the operation outside of the package and it works

     username = jwt.decode(id_token, verify=False)
      response = cidpClient.initiate_auth(
                 ClientId=clientId,
                 AuthFlow='REFRESH_TOKEN_AUTH',
                 AuthParameters={
                     'REFRESH_TOKEN': refresh_token,
                     'SECRET_HASH': get_secret_hash(clientId, clientSecret, username["cognito:username"]),
                  })

Also the SECURE_HASH from both operations are the same

Any help will be appreciated
@ofekfeller-glossai
Copy link

@gavihs
I'm having the same problem when trying to authenticate tokens of google identities.
Were you able to solve this?

@gavihs
Copy link
Author

gavihs commented Nov 8, 2022
edited
Loading

@gavihs I'm having the same problem when trying to authenticate tokens of google identities. Were you able to solve this?

I used the code given above and did an authorization everytime - it is not the most efficient way
but it works

@r-puri
Copy link

r-puri commented Apr 4, 2023

I had the same problem. I am not sure if your scenario is the same or if you are still having the issue.
For the initial login experience, USER_PASSWORD_AUTH , the "username" passed to the get_secret_hash function was the login username (which in my case was the email of the user logging in). This worked fine. I get the tokens. Now when my access token expires and I use REFRESH_TOKEN_AUTH with the same get_secret_has function (i.e. passing the login username aka email address), I would get the "unable to verify hash". I realized when doing the REFRESH token flow, i need to pass the actual cognito user id to the generate has function and not the email address that i was using for the USER_PASSWORD_AUTH .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gavihs @r-puri @ofekfeller-glossai