i have set up an android app to use amplify auth.
i have allowed it to accept unauthorized (guest) users and google federated sign in.
it all seems to work as expected. i can log in using google sign in and cognito.
i am experiencing a problem with using the temporary credentials generated for the google sign in and the guest user.
i have set up an api in apigateway (the pet example imported into my apigateway). i can access the endpoint using a user with policy allowing invoke api. i test in postman using the users accessKey and secretKey and it works.
it also works when i use the cognito logged in users' idToken.
(i have added allow invoke api to the auth and unauth roles' policies for the identity pool used)
if i use the accessKey and secretKey generated for the guest using this code:
public void getGuestCredentials(View view) {
Log.i(TAG, "inside getGuestCredentials()...");
Amplify.Auth.fetchAuthSession(
result -> {
AWSCognitoAuthSession cognitoAuthSession = (AWSCognitoAuthSession) result;
Log.i(TAG, "Is user signed in: "+cognitoAuthSession.isSignedIn());
switch(cognitoAuthSession.getIdentityId().getType()) {
case SUCCESS:
Log.i(TAG, "success IdentityId: " + cognitoAuthSession.getIdentityId().getValue());
Log.i(TAG, "success access key: " + cognitoAuthSession.getAWSCredentials().getValue().getAWSAccessKeyId());
Log.i(TAG, "success secret key: " + cognitoAuthSession.getAWSCredentials().getValue().getAWSSecretKey());
break;
case FAILURE:
Log.i(TAG, "failure IdentityId not present because: " + cognitoAuthSession.getIdentityId().getError().toString());
break;
default:
Log.i(TAG, "default IdentityId: " + cognitoAuthSession.getIdentityId().getValue());
Log.i(TAG, "default access key: " + cognitoAuthSession.getAWSCredentials().getValue().getAWSAccessKeyId());
Log.i(TAG, "default secret key: " + cognitoAuthSession.getAWSCredentials().getValue().getAWSSecretKey());
break;
}
},
error -> Log.i("AuthQuickStart", error.toString())
);
I get:
"message": "The security token included in the request is invalid."
in postman.
the same with the keys generated for the google signin using this code:
// sign in as federated user using google token (using escape hatch)
AWSMobileClient mobileClient = (AWSMobileClient) Amplify.Auth.getPlugin("awsCognitoAuthPlugin").getEscapeHatch();
// mobileClient.federatedSignIn(IdentityProvider.GOOGLE.toString(), account.getIdToken(), new Callback() { mobileClient.federatedSignIn("accounts.google.com", account.getIdToken(), new Callback() {
@Override
public void onResult(final UserStateDetails userStateDetails) {
//Handle the result
Log.i(TAG, "mobileClient login result: " + userStateDetails.getUserState().toString());
Log.i(TAG, "success google federation, going to authenticated user page.... ");
// ************************************************
AWSCredentials credentials = mobileClient.getCredentials();
Log.i(TAG, "***** secret key: "+credentials.getAWSSecretKey());
Log.i(TAG, "***** access key: "+credentials.getAWSAccessKeyId());
....
appreciate any help to solve this. thanks
managed to get sorted.
"When you make a call using temporary security credentials, the call must include a session token, which is returned along with those temporary credentials. AWS uses the session token to validate the temporary security credentials. The temporary credentials expire after a specified interval."
i got the sessionToken using this code: