Token is not from a supported provider of this identity pool Amazon Mobile Hub Android

Question

When I click Google Login I'm getting Token in onActivityResult method using the below code:

 GoogleSignInAccount account = result.getSignInAccount();
 String token = account.getIdToken();

 credentialsProvider  = new CognitoCachingCredentialsProvider(
            Login.this, // Context
            "My Pool ID", // Identity Pool ID
            Regions.US_EAST_1 // Region
    );

I have added the Google client ID in Cognito using manage Federated Identities. I have cross checked all the keys in IAM accounts.google.com, everything seems to be perfect.

 final Map<String, String> logins = new HashMap<String, String>();
 logins.put("accounts.google.com", account.getIdToken());

 credentialsProvider.setLogins(logins);
 credentialsProvider.refresh();

When I try to get the identity ID using the below code I'm getting error - Token is not from a supported provider of this identity pool. What could be the mistake?

 credentialsProvider.getIdentityId();

These questions seem related: https://forums.aws.amazon.com/thread.jspa?threadID=250632 and https://forums.aws.amazon.com/thread.jspa?threadID=170238 — Lisa M Shon, Jun 09 '17 at 17:17
@LisaMShon unfortunately both of those threads talk about older ways of getting the right credentials, and it's not clear how they translate to the newer system. — James Moore, Jul 14 '17 at 04:55
@UttamPanchasara It's a google id, so there aren't regions involved. — James Moore, Jul 15 '17 at 15:20

James Moore · Answer 1 · 2017-07-16T16:50:02.147

In my case, I had a trailing slash in my IAM identity provider for accounts.google.com, like this:

The one with the trailing slash is wrong; the one without the trailing slash works correctly. It's interesting that AWS will fetch the same thumbprint for both of those.

In the AWS IAM console under Accounts > Providers > accounts.google.com, add the key for "Android client for com.example.yourstuff (auto created by Google Service)" as an audience. It looks something like "222222222222-x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8.apps.googleusercontent.com" (Then, when you're debugging, go ahead and all the rest of the keys as audience entries; you can go back later and figure out which ones you can remove.)

In the call to GoogleSignInOptions.Builder, you need a call to #requestIdToken using your web application key under OAuath 2.0 client IDs on the Goole APIs > API Manager > Credentials page:

GoogleSignInOptions.Builder(GoogleSignInOptions.DEFAULT_SIGN_IN)
  .requestIdToken("999999whateverxxxx.apps.googleusercontent.com")
  .build()

(The token can get cached; if you run your app with the requestIdToken call, then remove the requestIdToken call, and run again, you can still get a result from a call to getIdToken() on the GoogleSignInAccount object.)

The google login code will eventually give you a GoogleSignInAccount object. Call #getIdToken on that object to get a string (in my case, it's 83 chars) that you're going to put in the login hash:

  // pseudocode...
  private fun fn(x: GoogleSignInAccount) {
    val token = x.idToken // getIdToken if you're still using Java
    val logins = HashMap<String, String>()      
    logins.put("accounts.google.com", token);
    credentialsProvider.logins = logins
  ...

If you don't have the right key listed in IAM > Providers > accounts.google.com, you'll get a NotAuthorizedException(Invalid login token. Incorrect token audience.) exception.

If you added that extra slash to accounts.google.com/, you'll get a NotAuthorizedException(Token is not from a supported provider of this identity pool.)

If you try to add accounts.google.com/ to the login hash like this (don't do this, fix the IAM identity provider name instead):

logins.put("accounts.google.com/", token);

You'll get a NotAuthorizedException(Invalid login token. Issuer doesn't match providerName) exception.

If you use the wrong token you'll get a NotAuthorizedException (Invalid login token. Token signature invalid.) exception.

(I suspect there are many other ways to fail; these are just the one's I've found.)

TL;DR: Based on your answer I was able to solve this problem. I created a new identity provider in IAM, identical to the one I had, removing the trailing slash. — Gnafu, Jun 27 '18 at 10:58

score 5 · Answer 2 · answered Jan 17 '19 at 15:16

5

First check if you are using correct user pool id. If yes then open aws cognito console , select Federated Identities then select identity pool you are passing in "Auth.configure". Then click "Edit identity pool" then goto tab "Authentication providers". Under it, first tab is of "Cognito", press unlock of User Pool ID and App client id and pass correct value there. Then you will able to login successfully.

answered Jan 17 '19 at 15:16

Ashish Sharma

574
7
18

I really hope clicking the unlock button is not mandatory. I had the same error but my problem was an incorrect clientId – Thom Mar 27 '20 at 20:52
Unlocking and setting an app ID is definitely required. This step is missing in the documentation, and it should really be handled by the CLI. – pnewhook Jan 13 '21 at 15:34

score -1 · Answer 3 · answered Jun 09 '17 at 21:22

-1

You need to add the Google Provider App ID in your backend configuration with Cognito to make it work correctly. You can do that from Cognito Console or Mobile Hub Console having your pool id.

Thanks, Rohan

answered Jun 09 '17 at 21:22

Rohan Dubal

847
5
10

Token is not from a supported provider of this identity pool Amazon Mobile Hub Android

3 Answers3

Linked