I already read some topics here
AWS cognito - Is it possible to get google access token and refresh using aws access token when sign in using google in from aws cognito
https://github.com/aws-amplify/amplify-js/issues/3619.
The first one said I can't get Google Refresh Token from AWS Cognito.
The second one said AWS Cognito auto refresh Google Access Token and return to me when I call refresh AWS Cognito token.
So what is true?
I try to mapping Google Access Token and Refresh Token by using this
https://medium.com/graymatrix/using-custom-attributes-in-amazon-cognito-user-pool-288cd3128bae
After that i only get Google Access Token without Google Refresh Token.
Can someone tell me how to get Google Refresh Token from AWS Cognito? Or the official AWS document on this issue.
I was facing the same problem: I use Google as federated ID provider and I only got an access token back. Tried different auth flows, read pages over pages of documentation. I finally found (by trial and error): Disable the implicit grant in the user pool. Then Cognito starts sending the refresh token. You then have to use the authorization code grant flow, of course. But that's rather simple using a library such as oauth2-pkce.
Related
I am trying to build an ETL integration with google sheets. On the front end i was able to promt user to grant access to their drive and sheets but what i would like to do is to somehow be able to then later run a scheduled sync from cloud funtions in Firebase to access their sheets and sync the data to another endpoint. How can i use use the permissions grant to do this on the backend without having to authenticate again? I cannot find any articles about this on the web or in the gapi documentation.
If you specify the offline_access scope in the authorization request, you should receive a refresh token from the authorization server, if the user grants you that permission.
With that refresh token, you can get a new access token from the authorization server, without the involvement of the user.
Note that the refresh token typically has an expiration date too.
How to sign up a user to AWSCognitoIdentityUserPool and get the JWT tokens back?
I got Facebook token from facebook registration. Then how can I register user in the User pool with based on that token?
I need to get JWT tokens in responce after that to use them in my own backend.
Struggling with it a week already..
Recognize authentication is a two step process. First, your app must authenticate with Facebook to receive a JWT, it seems that you have done this successfully. Second, this JWT is exchanged for IAM credentials that will be used for API calls.
Authentication Flow:
App authenticates with Identity provider using the SDK for that identity provider. In response, the Identity provider sends a JWT that will be cached by the app.
App uses cached JWT to authenticate with AWS. If the Identity provider is configured in AWS, in response, AWS sends IAM credentials with the permissions granted to that identity provider.
IAM credentials are used to make calls to other AWS resources specified in the Policy
This documentation goes into more detail for these steps in regarding Facebook.
The AWS Amplify Library has support for iOS. I would recommend using this library to handle Authentication against Facebook Federated Identities.
You do not necessarily need a user pool managed in Cognito, as the user pool function is managed by Facebook.
Code snippets for Building OAuth 2.0 credentials :
Credential credential = new GoogleCredential.Builder().setTransport(httpTransport)
.setJsonFactory(jsonFactory)
.setClientSecrets(myAppClientID, myAppSecret)
.build();
credential.setRefreshToken(userRefreshToken);
I am using Java Library in order to get the Google Analytics Data.
I do have Client ID, Secret and Refresh Token. I am accessing Google Analytics API though this credentials information,
My question is, Will Google OAuth 2.0 take care of Access Token Automatically? Or Do i need to handle it manually with some mechanism? If i am not passing access token to this code.
From the Credential API doc:
Thread-safe OAuth 2.0 helper for accessing protected resources using
an access token, as well as optionally refreshing the access token
when it expires using a refresh token.
So if you don't specify an access token, it will be automatically fetched using the refresh token. But since you already have an access token, I would say it's good to set it - it will save the first network call to the /token endpoint.
So I read the following on the Authorizing Requests to the Google Calendar API page written by Google folks.
Your application must use OAuth 2.0 to authorize requests. No other authorization protocols are supported. If your application uses Google Sign-In, some aspects of authorization are handled for you.
My knowledge of OAuth 2.0 is limited so I'm not sure if that means that I cannot get a one-time auth token for a user?
I'm building an app that will need to CRUD events for a user in the background based on other stuff. So I can't have the user authenticate over and over again. Is there a way around here?
If not, is there an Google Calendar alternative that has a dependable API that I could use?
When the user authenticates your application you are given an Access token (good for one hour) and a refresh token. You should save the refresh token, when ever you need to access the users data you can take the refresh token and ask Google to give you a new access token. It is the access token which gives you access to there account.
I wrote a tutorial that tries to explain Oauth2 how to set it up and how it works. Google Developer console Oauth2
I am using Oauth to access Google Cloud Storage via their JSON API.
All is fine, I authenticate and get an access token which has an expiration of 3600.
What is the correct way to refresh this?
It is my understanding that in other types of oAuth flows (i.e. Web Server), the initial authorization request returns a refresh token as well as an access token, and that the refresh token is used to ask for another access token when the current access token has expired.
But is appears that there is no refresh token when doing server-to-server oAuth with a Google "Service Account"?
Found the answer.
https://developers.google.com/accounts/docs/OAuth2ServiceAccount#expiration
Access tokens issued by the Google OAuth 2.0 Authorization Server
expire one hour after they are issued. When an access token expires,
then the application should generate another JWT, sign it, and request
another access token.