0

I believe I am missing something with the implicit grant process and access tokens in aws cognito.

To this point:

  1. Have a user pool, with a client app configured for implicit flow and scopes openid, profile, aws.cognito.signin.user.admin

  2. Used a stack overview and the official documentation and older white papers to achieve:

  3. Login process that redirects to aws cognito UI, and back to my app, with tokens and other information in the fragment portion of the URL.

  4. The access_token value parses at jwt.io and signature checks out using the aws jwt tool

Problem:

The recommended step is to "verify that the access token belongs to us" through the tokeninfo api call. When I attempt to call tokeninfo via javascript code and testing via postman (using: https://api.amazon.com/auth/o2/tokeninfo?access_token=eyJraWQiOiJoVFBa... )

I get the result: 

{
"error_description": "The request has an invalid parameter : access_token",
"error": "invalid_token"
}

and an http header: 

x-amzn-errortype: InvalidTokenException:http://internal.amazon.com/coral/com.amazon.panda/

Variants I have tried:

  • I have tried calls directly to the user profile (using Authorization header, and query string and x-amz-access-token header).

  • I have tried adjust parameter names (error becomes "access_token required" or something like that

  • I have tried adjusting scopes in the user pool

  • I have tried adding resource servers (though I am not there yet...)

The redirect after login looks like this: 

  https://staging.example.com/loginresult.html#id_token=eyJraWQiO<tokenremoved>&access_token=eyJraWQiOiJoVFBa<tokenremoved>&expires_in=3600&token_type=Bearer&state=whateverdevwants

The parsed values of the token (through jwt.io) are:

{
"sub": "5510a27d-ebcb-4883-8680-a66fd0462279",
"token_use": "access",
"scope": "aws.cognito.signin.user.admin openid profile",
"iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_OF5OOfdx0",
"exp": 1519352461,
"iat": 1519348861,
"version": 2,
"jti": "31950a91-e2a5-4060-8c31-977f49802d35",
"client_id": "3iuhnprmod0josge24ogarecfp",
"username": "5510a27d-ebcb-4883-8680-a66fd0462279"
}

Update: As answered below: just don't do this, it is conflating jwt tokens from cognito with whatever "Login With Amazon" was using.

Cadmium
  • 623
  • 3
  • 9

1 Answers1

0

In the example you refer to from Amazon they encode the access token using urllib.quote_plus for example in their PHP example.

Make sure you are URL encoding the access token too in your javascript code with encodeURI.

Also an error may be returned if the token has expired so make sure you verify a newly-minted token. Expiry is 3600 seconds - so make sure the token is less than an hour old.

EDIT

Looks like the documentation for Cognito is very different from the LWA (login with amazon) auth flow. The tokens in the examples you linked to aren't even JWT tokens!

The Cognito documentation here explains how to verify the JWT token. Checkout the Using ID Tokens and Access Tokens in your Web APIs paragraph.

iandayman
  • 4,357
  • 31
  • 38
  • Thanks, yes, was keeping track of the time to use in the first hour. And was encoding with encodeURIComponent (though the access_token didn't have encodable characters as far as I could tell...) – Cadmium Feb 23 '18 at 16:36
  • updated my answer - it looks like the official documentation you linked to is for LWA and very differnt from AWS Cognito. Good luck! – iandayman Feb 23 '18 at 17:29
  • Thanks. I found when I just used them against AWS API with cognito authorizers it just worked; not sure if/how to validate jwt tokens for cognito (may just signature checks), but this is not the way to do it. Thanks! – Cadmium Feb 23 '18 at 20:27