All geek questions in one place

The token is not from a supported provider of this Amazon Mobile Hub Android authentication pool

When I click on Google Login, I get a token in the onActivityResult method using the following code:

GoogleSignInAccount account = result.getSignInAccount(); String token = account.getIdToken(); credentialsProvider = new CognitoCachingCredentialsProvider( Login.this, // Context "My Pool ID", // Identity Pool ID Regions.US_EAST_1 // Region );

I added the Google Client ID to Cognito using Federated Identities Management. I checked all the keys on the IAM accounts.google.com page, everything seems perfect.

  final Map<String, String> logins = new HashMap<String, String>(); logins.put("accounts.google.com", account.getIdToken()); credentialsProvider.setLogins(logins); credentialsProvider.refresh();

When I try to get the identifier id using the code below, I get an error. The token is not from a supported provider of this identifier pool. What could be a mistake?

  credentialsProvider.getIdentityId();
+5
source share
3 answers

In my case, I had a slash in my IAM authentication provider for accounts.google.com, for example:

IAM Provider List

The one who ends the slash is wrong; one that does not have a slash works correctly. Interestingly, AWS will get the exact same print for both of them.

In the AWS IAM console, under Accounts> Providers> accounts.google.com, add the key for "Android client for com.example.yourstuff (automatically created by Google)" as an audience. It looks something like this: "222222222222-x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8.exe ..)

When calling GoogleSignInOptions.Builder you need to call #requestIdToken using the web application key under the OAuath 2.0 client IDs on the Goole API> API Manager> Credentials page:

 GoogleSignInOptions.Builder(GoogleSignInOptions.DEFAULT_SIGN_IN) .requestIdToken("999999whateverxxxx.apps.googleusercontent.com") .build()

(The token can be cached if you run the application with the requestIdToken call, then delete the requestIdToken request and run it again, you can still get the result from the getIdToken () call in the GoogleSignInAccount object.)

The google login code will eventually give you a GoogleSignInAccount object. Call #getIdToken on this object to get a string (in my case, it's 83 characters) that you are going to enter in the hash login:

  // pseudocode... private fun fn(x: GoogleSignInAccount) { val token = x.idToken // getIdToken if you're still using Java val logins = HashMap<String, String>() logins.put("accounts.google.com", token); credentialsProvider.logins = logins ...

If you do not have the correct key specified in IAM> Providers> accounts.google.com, you will get a NotAuthorizedException(Invalid login token. Incorrect token audience.) Exception.

If you added an additional slash to accounts.google.com/, you will receive a NotAuthorizedException(Token is not from a supported provider of this identity pool.)

If you try to add accounts.google.com/ to the login hash login like this (do not do this, correct the IAM identity provider name):

 logins.put("accounts.google.com/", token);

You will get a NotAuthorizedException(Invalid login token. Issuer doesn't match providerName) .

If you use the wrong token, you will get a NotAuthorizedException (Invalid login token. Token signature invalid.) Exception.

(I suspect there are many other ways to fail; this is just the one I found.)

+3
source

First check if you are using the correct user pool identifier. If yes, open the aws cognito console, select Consolidated Identities, then select the identity pool that you pass to Auth.configure. Then click "Change identity pool", then go to the "Authentication Providers" tab. Under it on the first tab is โ€œCognitoโ€, click on unlock the user pool identifier and application client identifier and pass the correct value there. Then you can successfully log in.

0
source

You need to add the Google Provider app ID to your configuration using Cognito for it to work correctly. You can do this from the Cognito console or the mobile hub console with a pool identifier.

Thanks Rohan

-1
source

Source: https://habr.com/ru/post/1268693/

More articles:


All Articles