本文介绍了Cognito用户池：如何使用刷新令牌刷新访问令牌的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述 29岁程序员，3月因学历无情被辞！ 我正在使用Cognito用户池对系统中的用户进行身份验证。成功的身份验证会提供一个 ID令牌（JWT），访问令牌（JWT）和一个刷新令牌。 此处的文档，其中明确提到了刷新令牌可用于刷新访问令牌，但未提及操作方法。 我的问题是访问令牌过期后，如何使用存储的刷新令牌再次刷新访问令牌？I am using Cognito user pool to authenticate users in my system. A successful authentication gives an ID Token (JWT), Access Token (JWT) and a Refresh Token. The documentation here, clearly mentions that the refresh token can be used to refresh access token, but does not mention how.My question is once my Access Token expires, how do I use the stored refresh token to refresh my access token again?我搜索了JavaScript SDK，但找不到任何方法可以做到这一点。我肯定错过了什么。I searched through the JavaScript SDK and could not find any method to do the same. I definitely missed something.我还想通过Lambda函数来做到这一点，该函数接受访问令牌和刷新令牌，并以刷新的访问令牌作为响应。Also I was thinking to do this via a Lambda function which takes in the access token and refresh token and responds with a refreshed access token. Would be great if anyone can throw some light on this.推荐答案如果您处于Cognito Javascript SDK无法使用的情况，那将是很棒的。不能满足您的目的，您仍然可以在 SDK源：If you're in a situation where the Cognito Javascript SDK isn't going to work for your purposes, you can still see how it handles the refresh process in the SDK source:您可以在 refreshSession Cognito InitiateAuth 端点使用 AuthFlow 值设置的 REFRESH_TOKEN_AUTH 和作为 AuthParameters传递的对象调用值。You can see in refreshSession that the Cognito InitiateAuth endpoint is called with REFRESH_TOKEN_AUTH set for the AuthFlow value, and an object passed in as the AuthParameters value.该对象需要进行配置以满足用户池的需求。具体来说，如果目标App客户端ID具有关联的App客户端密码，则可能必须传递 SECRET_HASH 。为与Javascript SDK使用而创建的用户池客户端应用程序当前不能包含客户端密钥，因此不需要 SECRET_HASH 即可与它们连接。That object will need to be configured to suit the needs of your User Pool. Specifically, you may have to pass in your SECRET_HASH if your targeted App client id has an associated App client secret. User Pool Client Apps created for use with the Javascript SDK currently can't contain a client secret, and thus a SECRET_HASH isn't required to connect with them.另一个可能使您陷入困境的警告是，如果您的用户池设置为记住设备，并且您没有传递 DEVICE_KEY 以及您的 REFRESH_TOKEN 。 Cognito API当前返回无效的刷新令牌 错误（如果您传递 RefreshToken 而不传递 DeviceKey 。即使传递有效的 RefreshToken ，也会返回此错误。上面链接的线程阐明了这一点，尽管我确实希望AWS将来更新其错误处理以减少隐秘性。Another caveat that might throw you for a loop is if your User Pool is set to remember devices, and you don't pass in the DEVICE_KEY along with your REFRESH_TOKEN. The Cognito API currently returns an "Invalid Refresh Token" error if you are passing in the RefreshToken without also passing in your DeviceKey. This error is returned even if you are passing in a valid RefreshToken. The thread linked above illuminates that, though I do hope AWS updates their error handling to be less cryptic in the future.如该线程中所讨论的，如果您使用的是 AdminInitiateAuth 和 ADMIN_NO_SRP_AUTH ，您成功的身份验证响应有效负载当前不包含 NewDeviceMetadata ；这意味着您在尝试刷新令牌时不会传递任何 DeviceKey 。As discussed in that thread, if you are using AdminInitiateAuth along with ADMIN_NO_SRP_AUTH, your successful authentication response payload does not currently contain NewDeviceMetadata; which means you won't have any DeviceKey to pass in as you attempt to refresh your tokens.我的应用要求在Python中实现，因此下面的示例对我有用：My app calls for implementation in Python, so here's an example that worked for me:def refresh_token(self, username, refresh_token): try: return client.initiate_auth( ClientId=self.client_id, AuthFlow='REFRESH_TOKEN_AUTH', AuthParameters={ 'REFRESH_TOKEN': refresh_token, 'SECRET_HASH': self.get_secret_hash(username) # Note that SECRET_HASH is missing from JSDK # Note also that DEVICE_KEY is missing from my example } ) except botocore.exceptions.ClientError as e: return e.response 这篇关于Cognito用户池：如何使用刷新令牌刷新访问令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！ 上岸，阿里云！