我想使用boto3和python爲AWS Cognito創建/計算SECRET_HASH。這將被納入我的分叉warrant。如何使用boto3爲AWS Cognito創建SECRET_HASH?
我將我的cognito應用程序客戶端配置爲使用app client secret
。但是,這打破了以下代碼。
def renew_access_token(self):
"""
Sets a new access token on the User using the refresh token.
NOTE:
Does not work if "App client secret" is enabled. 'SECRET_HASH' is needed in AuthParameters.
'SECRET_HASH' requires HMAC calculations.
Does not work if "Device Tracking" is turned on.
https://stackoverflow.com/a/40875783/1783439
'DEVICE_KEY' is needed in AuthParameters. See AuthParameters section.
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html
"""
refresh_response = self.client.initiate_auth(
ClientId=self.client_id,
AuthFlow='REFRESH_TOKEN',
AuthParameters={
'REFRESH_TOKEN': self.refresh_token
# 'SECRET_HASH': How to generate this?
},
)
self._set_attributes(
refresh_response,
{
'access_token': refresh_response['AuthenticationResult']['AccessToken'],
'id_token': refresh_response['AuthenticationResult']['IdToken'],
'token_type': refresh_response['AuthenticationResult']['TokenType']
}
)
當我運行此我收到以下異常:
botocore.errorfactory.NotAuthorizedException:
An error occurred (NotAuthorizedException) when calling the InitiateAuth operation:
Unable to verify secret hash for client <client id echoed here>.
This answer告訴我,一個SECRET_HASH需要使用cognito客戶端密鑰。
對於REFRESH_TOKEN_AUTH/REFRESH_TOKEN:
以下的aws API reference docs AuthParameters部狀態USERNAME(必需),SECRET_HASH (必需如果應用程序的客戶端被配置爲與客戶端密鑰), REFRESH_TOKEN(必需), DEVICE_KEY
的boto3 docs狀態,一個SECRET_HASH是
使用用戶池客戶端的祕密密鑰和用戶名加上 消息中的客戶端ID計算的密鑰哈希消息驗證代碼(HMAC)。
該文檔解釋了需要什麼,但不是如何實現這一點。