Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not able to get any OAuth or custom Scopes in Access Token #42

Closed
hanslai opened this issue Jul 25, 2019 · 15 comments
Closed

Not able to get any OAuth or custom Scopes in Access Token #42

hanslai opened this issue Jul 25, 2019 · 15 comments
Labels
feature-request A feature should be added or improved. module/cognito-ext needs-review p2 This is a standard priority issue

Comments

@hanslai
Copy link

hanslai commented Jul 25, 2019
edited by ashishdhingra
Loading

Hello:

I am writing an application using Vue as the frontend, and asp.net core web api as the backend.
I am using "Authorization code grant" only for now, will add PKCE later.

Yet the only scope I am able get from the returned access token is "aws.cognito.signin.user.admin"

Below is content is the Access Content Payload, replaced some info with ****

{
  "sub": "*************************",
  "device_key": "*************************",
  "cognito:groups": [
    "AIS_Test_Group"
  ],
  "iss": "https://cognito-idp.ap-southeast-1.amazonaws.com/*****************",
  "client_id": "*************************",
  "event_id": "bcc3b362-ed43-4551-a562-6671f2ec3f2f",
  "token_use": "access",
  "scope": "aws.cognito.signin.user.admin",
  "auth_time": 1564057907,
  "exp": 1564061507,
  "iat": 1564057907,
  "jti": "e68c081c-533e-4f57-88cd-263b06d752f7",
  "username": "hans"
}

Allowed OAuth Scopes is checked for "phone", "email", "openid", "aws.cognito.signin.user.admin" and "profile" in App client settings for uesr pool.

For backend Web API we are using Authenticating with Secure Remote Protocol (SRP)

[HttpPost]
        [Route("SignInSPR")]
        public async Task<ActionResult<string>> SignInSPR(User user)
        {
            var provider = new AmazonCognitoIdentityProviderClient(new AnonymousAWSCredentials(),_region);
            var userPool = new CognitoUserPool(_AWS_UserPoolId, _appClientId, provider);
            var cognitoUser = new CognitoUser(user.Username, _appClientId, userPool, provider);

            AuthFlowResponse authResponse=null;
            authResponse = await cognitoUser.StartWithSrpAuthAsync(new InitiateSrpAuthRequest()
            {
                Password = user.Password
            }).ConfigureAwait(false);

            return Ok(authResponse);
        }

Yet, we are not able to get any OAuth scopes such as "openid" and "profile", or any "custom scopes"

Please advice on how can we get "OAuth scope" and "custom scopes" Amazon Cognito Authentication Extension Library or do I need to use ASP.NET Core Identity Provider?

Thank

Hans
@klaytaybai klaytaybai added the feature-request A feature should be added or improved. label Jul 26, 2019
@hanslai
Copy link
Author

hanslai commented Jul 27, 2019

@klaytaybai been this issue marked as "feature-request", does it mean I cannot use aws-sdk-net-extensions-cognito to get OAuth or custom scopes right now?

@sandeepsdixit
Copy link

I have the same issue and have opened a case # 6756083471

when using third party idp like google or facebook, it returns all scopes but for cognito idp it does not:

GOOGLE IDP
access token=
{
"sub": "383dds42-ccd7-4ad1-86d3-fdb83bsee4e9",
"cognito:groups": [
"us-east-2_peGdsfhTXuI_Google"
],
"token_use": "access",
"scope": "aws.cognito.signin.user.admin phone openid profile api.kabuter.io/write api.kabuter.io/read email",
"auth_time": 1579371616,
"iss": "https://cognito-idp.us-east-2.amazonaws.com/us-east-2_pdGsdfTXuI",
"exp": 1579375217,
"iat": 1579371617,
"version": 2,
"jti": "2f83dsd2-0914-df62-8938-f8e0f3bcd142",
"client_id": "1ld8tdsddqlkttlaqqo6",
"username": "Google_100162641872007655599"
}

COGNITO IDP
access token=
{
"sub": "e2sd2cc3a-57e8-405c-9400-2dsd6dc6d774a",
"event_id": "9a9930d1-be36-45a2-bacf-134aa3a28185",
"token_use": "access",
"scope": "aws.cognito.signin.user.admin",
"auth_time": 1579364417,
"iss": "https://cognito-idp.us-east-2.amazonaws.com/us-east-2_peqweTXsdfI",
"exp": 1579368018,
"iat": 1579364418,
"jti": "b4b7ab15-edd5-45e8-add2-c83sdfsdf7d679e12",
"client_id": "1ld8td49v1sdfs9gloqqlkdfdsttlaqqdo6",
"username": "e222cdc3a-57e8-405c-9400-2ddsd6dc6d774a"
}

@sandeepsdixit
Copy link

Other values are obfuscated intentionally

@dienomb
Copy link

dienomb commented Apr 11, 2020

They must be a workaround to this??? Someone knows???

Will be much appreciated.

@vmary2014
Copy link

Hi. Is there any update on this issue? Would be great to access the custom scopes.

@shubhrit-D
Copy link

Hi,

Any update on the above issue? We are trying to add custom scopes in AWS Cognito through resource servers but after logging in, the access token doesn't have any custom scopes.

Thanks.

@sonicsandy
Copy link

Hi

Having the same issue of not being able to retrieve the custom scopes using auth code grant.

Configured in the app client settings
image

But the access token does not have them:
image

If this is not how it should work, then what is a good way of using custom scopes with auth code grant?

@equt
Copy link

equt commented Apr 4, 2022
edited
Loading

To whoever gets into this issue, if the following descriptions match your situation,

  1. You do not want to use the hosted UI
  2. Yourself or your colleagues choose to use the client/server pattern, i.e., call AWS Cognito SDK on your server-side to generate token, then pass it to your web or native app.

Then, the answer is simply NO, YOU CANT.

Actually, many similar issues have been there for about three years. Of course, this is one of them.

Most of them are simply closed and locked because there is no recent activity.

@michaelakin
Copy link

This is still an issue. Any update?

@ashishdhingra
Copy link
Contributor

Needs review with the team. There were lot of open issues in the past which were closed due to inactivity.

@ashishdhingra ashishdhingra added needs-review p2 This is a standard priority issue labels Dec 27, 2022
@michaelakin
Copy link

Needs review with the team. There were lot of open issues in the past which were closed due to inactivity.

Thanks, this is definitely still a problem that I am encountering.

@glomtadzeWarrCloud
Copy link

Same issue, it's a huge flaw of Cognito.

@normj
Copy link
Member

normj commented Feb 8, 2023

I'm not dismissing the issue with custom scopes but this library has no control over what is return in the access token. This is a service issue that has to be addressed at the service not the client library. The AWS .NET SDK team which owns this library can't make that service level change.

@normj normj closed this as completed Feb 8, 2023
@github-actions
Copy link

github-actions bot commented Feb 8, 2023

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@rupertlssmith
Copy link

Seems to have been fixed on Cognito User Pools: https://aws.amazon.com/about-aws/whats-new/2023/12/amazon-cognito-user-pools-customize-access-tokens/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request A feature should be added or improved. module/cognito-ext needs-review p2 This is a standard priority issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests