无法在REFRESH_TOKEN_AUTH上验证客户端的秘密哈希 [英] Unable to verify secret hash for client at REFRESH_TOKEN_AUTH
问题描述
在REFRESH_TOKEN_AUTH身份验证流程中,无法验证客户端的秘密哈希...".
"Unable to verify secret hash for client ..." at REFRESH_TOKEN_AUTH auth flow.
{
"Error": {
"Code": "NotAuthorizedException",
"Message": "Unable to verify secret hash for client 3tjdt39cq4lodrn60kjmsb****"
},
"ResponseMetadata": {
"HTTPHeaders": {
"connection": "keep-alive",
"content-length": "114",
"content-type": "application/x-amz-json-1.1",
"date": "Tue, 29 Jan 2019 22:22:35 GMT",
"x-amzn-errormessage": "Unable to verify secret hash for client 3tjdt39cq4lodrn60kjmsbv3jq",
"x-amzn-errortype": "NotAuthorizedException:",
"x-amzn-requestid": "610368ec-2414-11e9-9671-f11a8cac1e43"
},
"HTTPStatusCode": 400,
"RequestId": "610368ec-2414-11e9-9671-f11a8cac1e43",
"RetryAttempts": 0
}
}
REFRESH_TOKEN_AUTH的Boto3代码
遵循AWS文档(如以下参考资料中所述).
Boto3 code for REFRESH_TOKEN_AUTH
Followed the AWS documentation (as in the references below).
对于REFRESH_TOKEN_AUTH/REFRESH_TOKEN:REFRESH_TOKEN(必需),SECRET_HASH(如果应用客户端配置了客户端密码,则需要),DEVICE_KEY
For REFRESH_TOKEN_AUTH/REFRESH_TOKEN: REFRESH_TOKEN (required), SECRET_HASH (required if the app client is configured with a client secret), DEVICE_KEY
response = get_client().admin_initiate_auth(
UserPoolId=USER_POOL_ID,
ClientId=CLIENT_ID,
AuthFlow='REFRESH_TOKEN_AUTH',
AuthParameters={
'REFRESH_TOKEN': refresh_token,
'SECRET_HASH': get_secret_hash(username)
}
)
在具有相同秘密哈希值的ADMIN_NO_SRP_AUTH身份验证流中不会发生这种情况.
It does not happen at ADMIN_NO_SRP_AUTH auth flow with the same secret hash value.
response = get_client().admin_initiate_auth(
UserPoolId=USER_POOL_ID,
ClientId=CLIENT_ID,
AuthFlow='ADMIN_NO_SRP_AUTH',
AuthParameters={
'USERNAME': username,
'SECRET_HASH': get_secret_hash(username),
'PASSWORD': password
},
ClientMetadata={
'username': username,
'password': password
}
)
同一个秘密哈希适用于200.
The same secret hash works with 200.
{
"AuthenticationResult": {
"AccessToken": ...,
"TokenType": "Bearer"
},
"ChallengeParameters": {},
"ResponseMetadata": {
"HTTPHeaders": {
"connection": "keep-alive",
"content-length": "3865",
"content-type": "application/x-amz-json-1.1",
"date": "Tue, 29 Jan 2019 22:25:33 GMT",
"x-amzn-requestid": "cadf53cf-2414-11e9-bba9-4b60b3285418"
},
"HTTPStatusCode": 200,
"RequestId": "cadf53cf-2414-11e9-bba9-4b60b3285418",
"RetryAttempts": 0
}
}
两者都使用相同的逻辑来生成秘密哈希.
Both uses the same logic to generate the secret hash.
def get_secret_hash(username):
msg = username + CLIENT_ID
digest = hmac.new(
str(CLIENT_SECRET).encode('utf-8'),
msg = str(msg).encode('utf-8'),
digestmod=hashlib.sha256
).digest()
hash = base64.b64encode(digest).decode()
log_debug("secret hash for cognito UP is [{0}]".format(hash))
return hash
值是相同的:
secret hash for cognito UP is [6kvmKb8almXpYKvfEbE9q4r1Iq/SuQvP8H**********].
环境
-
启用了客户端密钥的Cognito用户池.
Environment
Cognito User Pool with client secret enabled.
打印boto.Version2.49.0
print boto.Version 2.49.0
AWS Amplify Javascript JDK不支持 Github ,但到目前为止在Boto3上未找到任何报告.
AWS Amplify Javascript JDK does not support client secret as stated in Github but no report found so far on Boto3.
在创建应用程序时,必须取消选中生成客户端密码"框,因为JavaScript SDK不支持具有客户端密码的应用程序.
When creating the App, the generate client secret box must be unchecked because the JavaScript SDK doesn't support apps that have a client secret.
相关问题
- AWS Cognito原子令牌在秘密中失败哈希
- 无法验证客户端的秘密哈希在Amazon Cognito用户池中
- Cognito管理员发起身份验证
- Boto3admin_initiate_auth
- 推荐答案
该行为是否符合预期尚待确认.目前,要解决该问题.
Whether the behaviour is as expected or not is to be confirmed. For the moment, to work-around the problem.
AWS人员确定的原因和解决方法.
The cause and work-around identified by an AWS guy.
当用户名中有一个"@"时,您将在REFRESH_TOKEN_AUTH调用中收到该错误.Cognito会为其生成UUID样式的用户名.而且您必须在刷新调用中使用它.
when you have an "@" in the username you get that error on the REFRESH_TOKEN_AUTH call. Cognito generates a UUID-style username for them. And you have to use that during the refresh call.
提供了用于刷新令牌的示例代码.
Sample code provided to refresh the tokens.
import boto3 import hmac import hashlib import base64 import time import jwt Region = "us-east-1" UserPoolId = "Your userpool ID" AppClientId = "yyyy" AppClientSecret = "zzzz" Username = "james@bond.com" Password = "shakennotstirred" Signature = hmac.new(AppClientSecret, Username+AppClientId,digestmod=hashlib.sha256) Hash = base64.b64encode(Signature.digest()) Cognito = boto3.client("cognito-idp", region_name=Region) AuthResponse = Cognito.admin_initiate_auth( AuthFlow="ADMIN_NO_SRP_AUTH", ClientId=AppClientId, UserPoolId=UserPoolId, AuthParameters={"USERNAME":Username, "PASSWORD":Password, "SECRET_HASH":Hash}) IdToken = AuthResponse["AuthenticationResult"]["IdToken"] RefreshToken = AuthResponse["AuthenticationResult"]["RefreshToken"] Decoded = jwt.decode(IdToken, verify=False) DecodedUsername = Decoded["cognito:username"] NewSignature = hmac.new(AppClientSecret, DecodedUsername+AppClientId, digestmod=hashlib.sha256) #!! Generate new signature and hash NewHash = base64.b64encode(NewSignature.digest()) RefreshResponse = Cognito.admin_initiate_auth( AuthFlow="REFRESH_TOKEN_AUTH", ClientId=AppClientId, UserPoolId=UserPoolId, AuthParameters={"REFRESH_TOKEN":RefreshToken, "SECRET_HASH":NewHash}) #!! Use the new hash NewIdToken = RefreshResponse["AuthenticationResult"]["IdToken"] print("NewIdToken: "+NewIdToken)该示例使用Python2.要安装所需的软件包.
The example uses Python2. To install the packages required.
pip2 install cryptography -t . pip2 install PyJWT -t .这篇关于无法在REFRESH_TOKEN_AUTH上验证客户端的秘密哈希的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
