Cognito '/oauth2/token' 端点未返回 'id_token' 以使用 PKCE 授予授权码
Cognito '/oauth2/token' end point not returning 'id_token' for Authorization Code Grant with PKCE
Cognito '/oauth2/token' 端点未 returning 'id_token' 用于 PKCE 的授权代码授予,即使文档说它将被 returned(Link). It should return the id_token as well. Is this normal or I need to configure more? I have added the content of the git issue opened by me below if this is helpful(Issue 7393)
重现
重现该行为的步骤:
- 配置具有托管 UI 支持的用户池
- 转到托管 UI 并完成登录
- 用户将被重定向到“redirectSignIn”URL
- Hub.listen('auth') 事件触发并显示错误消息“登录失败错误:需要用户名和池信息。”
- 检查 ID 令牌的会话
- 检查代码质询请求以获取令牌(/oauth2/token 请求)
- 两者都没有 ID 令牌。 /oauth2/token 仅 returns access_token、expires_in、refresh_token 和 token_type
预期行为
它也应该 return id_token
代码段
import React, {useEffect, useState} from 'react';
import { Amplify, Auth, Hub } from 'aws-amplify';
import {AmplifyConfig} from '../../config/amplifyConfig';
Amplify.configure({
Auth: AmplifyConfig.auth
});
const AuthorizePage = (props: any) => {
const [user, setUser] = useState(null);
useEffect(() => {
Hub.listen('auth', ({ payload: { event, data } }) => {
switch (event) {
case 'signIn':
case 'cognitoHostedUI':
getUser().then(userData => setUser(userData));
break;
case 'signOut':
setUser(null);
break;
case 'signIn_failure':
case 'cognitoHostedUI_failure':
console.log('Sign in failure', data);
break;
}
});
getUser().then(userData => setUser(userData));
}, []);
function getUser() {
return Auth.currentAuthenticatedUser()
.then(userData => userData)
.catch(() => console.log('Not signed in'));
}
return (
<div className="menu-card-filter--items" data-id="aperitif">
<span>
Authorizing
</span>
</div>
)
}
export default AuthorizePage;
截图
配置了什么?
Auth: {
mandatorySignIn: true,
region: "******-*",
userPoolId: "**-******-*_*******",
userPoolWebClientId: "**********************",
oauth: {
domain: "**********************.amazoncognito.com",
scope: [
"phone",
"email",
"profile",
],
redirectSignIn: "http://localhost:3000/authorize",
redirectSignOut: "http://localhost:3000/logout",
responseType: "code"
}
}
将 'openid' 范围添加到您的身份验证配置中的范围列表。
The openid scope returns all user attributes in the ID token that are readable by the client. The ID token is not returned if the openid scope is not requested by the client.
Cognito '/oauth2/token' 端点未 returning 'id_token' 用于 PKCE 的授权代码授予,即使文档说它将被 returned(Link). It should return the id_token as well. Is this normal or I need to configure more? I have added the content of the git issue opened by me below if this is helpful(Issue 7393)
重现 重现该行为的步骤:
- 配置具有托管 UI 支持的用户池
- 转到托管 UI 并完成登录
- 用户将被重定向到“redirectSignIn”URL
- Hub.listen('auth') 事件触发并显示错误消息“登录失败错误:需要用户名和池信息。”
- 检查 ID 令牌的会话
- 检查代码质询请求以获取令牌(/oauth2/token 请求)
- 两者都没有 ID 令牌。 /oauth2/token 仅 returns access_token、expires_in、refresh_token 和 token_type
预期行为 它也应该 return id_token
代码段
import React, {useEffect, useState} from 'react';
import { Amplify, Auth, Hub } from 'aws-amplify';
import {AmplifyConfig} from '../../config/amplifyConfig';
Amplify.configure({
Auth: AmplifyConfig.auth
});
const AuthorizePage = (props: any) => {
const [user, setUser] = useState(null);
useEffect(() => {
Hub.listen('auth', ({ payload: { event, data } }) => {
switch (event) {
case 'signIn':
case 'cognitoHostedUI':
getUser().then(userData => setUser(userData));
break;
case 'signOut':
setUser(null);
break;
case 'signIn_failure':
case 'cognitoHostedUI_failure':
console.log('Sign in failure', data);
break;
}
});
getUser().then(userData => setUser(userData));
}, []);
function getUser() {
return Auth.currentAuthenticatedUser()
.then(userData => userData)
.catch(() => console.log('Not signed in'));
}
return (
<div className="menu-card-filter--items" data-id="aperitif">
<span>
Authorizing
</span>
</div>
)
}
export default AuthorizePage;
截图
配置了什么?
Auth: {
mandatorySignIn: true,
region: "******-*",
userPoolId: "**-******-*_*******",
userPoolWebClientId: "**********************",
oauth: {
domain: "**********************.amazoncognito.com",
scope: [
"phone",
"email",
"profile",
],
redirectSignIn: "http://localhost:3000/authorize",
redirectSignOut: "http://localhost:3000/logout",
responseType: "code"
}
}
将 'openid' 范围添加到您的身份验证配置中的范围列表。
The openid scope returns all user attributes in the ID token that are readable by the client. The ID token is not returned if the openid scope is not requested by the client.