def exchange_code_for_token(self, code, requests_client=None):
token_url = f"{self.domain}/oauth2/token"
data = {
"code": code,
"redirect_uri": self.redirect_url,
"client_id": self.user_pool_client_id,
"grant_type": "authorization_code",
}
headers = {}
if self.user_pool_client_secret:
secret = b64encode(
f"{self.user_pool_client_id}:{self.user_pool_client_secret}".encode(
"utf-8"
)
).decode("utf-8")
headers = {"Authorization": f"Basic {secret}"}
try:
if not requests_client:
requests_client = requests.post
response = requests_client(token_url, data=data, headers=headers)
response_json = response.json()
except requests.exceptions.RequestException as e:
raise FlaskAWSCognitoError(str(e)) from e
if "access_token" not in response_json:
raise FlaskAWSCognitoError(
f"no access token returned for code {response_json}"
)
access_token = response_json["access_token"]
return access_token
def _load_jwk_keys(self):
keys_url = f"https://cognito-idp.{self.region}.amazonaws.com/{self.user_pool_id}/.well-known/jwks.json"
try:
response = self.request_client(keys_url)
self.jwk_keys = response.json()["keys"]
except requests.exceptions.RequestException as e:
raise FlaskAWSCognitoError(str(e)) from e
def get_access_token(self, request_args):
code = request_args.get("code")
state = request_args.get("state")
expected_state = get_state(self.user_pool_id, self.user_pool_client_id)
if state != expected_state:
raise FlaskAWSCognitoError("State for CSRF is not correct ")
access_token = self.cognito_service.exchange_code_for_token(code)
return access_token
def get_user_info(self, access_token, requests_client=None):
user_url = f"{self.domain}/oauth2/userInfo"
header = {"Authorization": f"Bearer {access_token}"}
try:
if not requests_client:
requests_client = requests.post
response = requests_client(user_url, headers=header)
response_json = response.json()
except requests.exceptions.RequestException as e:
raise FlaskAWSCognitoError(str(e)) from e
return response_json
def get_refreshed_access_token(self, request_args, refresh_token):
if self._access_token:
return self._access_token
code = request_args.get("code")
state = request_args.get("state")
expected_state = get_state(self.user_pool_id, self.user_pool_client_id)
if state != expected_state:
raise FlaskAWSCognitoError("State for CSRF is not correct ")
tokens = self.cognito_service.refresh_token(code, refresh_token)
return tokens
def __init__(self, user_pool_id, user_pool_client_id, region, request_client=None):
self.region = region
if not self.region:
raise FlaskAWSCognitoError("No AWS region provided")
self.user_pool_id = user_pool_id
self.user_pool_client_id = user_pool_client_id
self.claims = None
if not request_client:
self.request_client = requests.get
else:
self.request_client = request_client
self._load_jwk_keys()
def __init__(self,
user_pool_id,
user_pool_client_id,
region,
request_client=None):
# Remove any unexpected leading/trailing whitespace using .strip()
self.region = region.strip()
if not self.region:
raise FlaskAWSCognitoError("No AWS region provided")
self.user_pool_id = user_pool_id.strip()
self.user_pool_client_id = user_pool_client_id.strip()
self.claims = None
if not request_client:
self.request_client = requests.get
else:
self.request_client = request_client
self._load_jwk_keys()