8

I have a userpool in cognito which uses Google as the identity provider. Now, using Amplify, we do a FederatedSign with provider as 'Google' as shown below.

Auth.federatedSignIn({ provider: "Google" });.

This gives me back the access token, id token. But the refresh token is empty. This is for the oauth responseType:'token' configuration.

I have seen elsewhere that we need to change the grant type to 'code' i.e responseType: 'code' in order to get the refresh token.

But in this scenario, I am getting 'code = some-value' in the callback url and not the access token and refresh token.

What am I missing here?

My aim is to be able to get the refresh token - and using this Amplify would refresh the session once the access token in invalid.

user13628417
  • 179
  • 8
  • Bumping this, as it's still a problem, I believe it has something to do with "authenticationFlowType" or some other config. I am still looking for a solution... – Kevin Danikowski Sep 20 '20 at 20:34

2 Answers2

6

You need to change oauth.responseType in your config to 'code' instead of 'token'. I'm getting an error when I do that and I'm not sure why, but this is what I found you need to do.

Kevin Danikowski
  • 4,620
  • 6
  • 41
  • 75
  • 2
    I solved this problem. Turns out the redirect URL for sign in and sign out must be the same domain you place the request from, i,e place request from localhost:3000, redirect must also come back to localhost:3000. For testing I was using localhost:5500 and it was giving empty token therefore. (My oauth response type is code) (Check it once in cognito settings.) When the redirect comes with the "code" in the URL, Amplify picks this up and places one more request to get the refresh token and other credentials (to the cognito TOKEN endpoint.) – user13628417 Sep 22 '20 at 04:03
  • 3
    I started looking at the docs [here](https://auth0.com/docs/protocols/protocol-oauth2), and it looks like `code` is shorthand for the [Authorization Code Flow](https://auth0.com/docs/protocols/protocol-oauth2). `token` seems to be just for short term access. – Michael Keane Galloway Apr 29 '21 at 17:36
1

I am using parseCognitoWebResponse and had the same problem.

  1. Within your User Pool go to App Clients. Check your Cognito App Client and make sure no client secret is generated. If it is filled in recreate an App Client without generating a Client Secret

No Client Secret

  1. Change the response_type to code

window.location.href = `https://${yourCognitoDomain}?response_type=code&client_id=${yourClientId}&redirect_uri=${cognitoRedirectUrl}`

WiredIn
  • 4,157
  • 4
  • 27
  • 23