`GetTokensFromRefreshToken` Requires AWS Credentials in Browser Environment

[xspirus]

Checkboxes for prior research

• I've gone through Developer Guide and API reference
• I've checked AWS Forums and StackOverflow.
• I've searched for previous similar issues and didn't find any solution.

Describe the bug

When using the GetTokensFromRefreshToken operation from the @aws-sdk/client-cognito-identity-provider package in a browser environment, the SDK requires AWS credentials to be set. This is unexpected, as the operation is intended to be used with a refresh token and client ID, without necessitating AWS credentials.

Regression Issue

• Select this option if this issue appears to be a regression.

SDK version number

@aws-sdk/client-cognito-identity-provider@3.794.0

Which JavaScript Runtime is this issue in?

Browser

Details of the browser/Node.js/ReactNative version

Firefox@137.0

Reproduction Steps

This is the code that I am using

import {
  CognitoIdentityProviderClient,
  GetTokensFromRefreshTokenCommand,
} from "@aws-sdk/client-cognito-identity-provider";

const client = new CognitoIdentityProviderClient({
  region: "eu-north-1",
});

export const refreshTokens = async (refreshToken) => {
  const command = new GetTokensFromRefreshTokenCommand({
    ClientId: "your-client-id",
    RefreshToken: refreshToken,
  });

  try {
    const response = await client.send(command);
    return response.AuthenticationResult;
  } catch (error) {
    console.error("Error refreshing tokens:", error);
    throw error;
  }
};

Observed Behavior

Error: Credential is missing
credentialDefaultProvider runtimeConfig.browser.js:22
fn resolveAwsSdkSigV4Config.js:127
httpAuthSchemeMiddleware httpAuthSchemeMiddleware.js:31
loggerMiddleware loggerMiddleware.js:3
send client.js:35
refreshTokens chisels.ts:146
initializeAuth slice.ts:86
Redux 3
createImmutableStateInvariantMiddleware Immutable
createActionCreatorInvariantMiddleware Redux
dispatch :6
App app.tsx:36
React 7
workLoop scheduler.development.js:266
flushWork scheduler.development.js:239
performWorkUntilDeadline scheduler.development.js:533
js scheduler.development.js:571
js scheduler.development.js:633
__require chunk-DC5AMYBS.js:9
js index.js:6
__require chunk-DC5AMYBS.js:9
React 2
__require chunk-DC5AMYBS.js:9
js React
__require chunk-DC5AMYBS.js:9
js React
__require chunk-DC5AMYBS.js:9
react-dom_client.js:38
:1:145535

Expected Behavior

The GetTokensFromRefreshToken operation should not require AWS credentials when used in the browser, as it operates with a refresh token and client ID. Requiring AWS credentials in this context is inconsistent with the intended use of the operation.

The AWS documentation for GetTokensFromRefreshToken does not specify the need for AWS credentials:​

This behavior differs from other operations like InitiateAuth, which do not require AWS credentials in similar contexts.

Possible Solution

Specify optionalAuth in cognito smithy configuration file for this operation.

Additional Information/Context

If the client is initialized as follows:

const client = new CognitoIdentityProviderClient({
  credentials: {
    accessKeyId: "123",
    secretAccessKey: "123",
  },
  region: "eu-north-1",
});

, then the operation succeeds.

[aBurmeseDev]

Hi @xspirus - appreciate you reaching out.

This error occurs because your AWS credentials aren't properly set up. The SDK automatically checks several locations for valid credentials, but can't find any, which is why you're seeing this error.

To fix this, you'll need to provide valid credentials before calling GetTokensFromRefreshTokenCommand. It seems your client isn't being initialized with the proper credentials.

For browser environments, you'll want to use the fromCognitoIdentityPool from @aws-sdk/credential-providers to get credentials from your identity pool. Check out this docs: https://docs.aws.amazon.com/sdk-for-javascript/v3/developer-guide/loading-browser-credentials-cognito.html

import {fromCognitoIdentityPool} from "@aws-sdk/credential-providers";

const REGION = AWS_REGION;

const s3Client = new S3Client({
  region: REGION,
  credentials: fromCognitoIdentityPool({
    clientConfig: { region: REGION }, // Configure the underlying CognitoIdentityClient.
    identityPoolId: 'IDENTITY_POOL_ID',
    logins: {
            // Optional tokens, used for authenticated login.
        },
  })
});

Hope that helps!

[xspirus]

Hi @aBurmeseDev - thanks for the response.

I understand why the error occurs. The issue is that the documentation does not state that credentials are required. What's more interesting, is that whatever credentials are provided (even dummy ones), the operation succeeds. This leads me to the conclusion that AWS credentials are not actually needed for this operation. This is the reason I opened this issue.

[aBurmeseDev]

The issue is that the documentation does not state that credentials are required

Correct, it's because user needs to provide AWS credentials for every client command as an initial step of using AWS SDK as mentioned in the docs I shared above. If AWS credentials aren't set up properly, you won't be able to make any API call, and will see "Credential is missing" error, It's not specific to this command.

What's more interesting, is that whatever credentials are provided (even dummy ones), the operation succeeds.

This's strange, that shouldn't be the case. Are you saying you are able to successfully call this client command with made-up AWS Credentials? What's the response? Can you share the output?

[xspirus]

Correct, it's because user needs to provide AWS credentials for every client command as an initial step of using AWS SDK as mentioned in the docs I shared above. If AWS credentials aren't set up properly, you won't be able to make any API call, and will see "Credential is missing" error, It's not specific to this command.

This is not entirely true. There are several operations in AWS Cognito that do not require credentials at all. For example, GetUser does not require AWS Credentials, but only a valid AccessToken provided by the user of a User Pool. In this documentation the following is also present:

Investigating the code and specifically the following

https://github.com/aws/aws-sdk-js-v3/blob/1870921a58349548efa1b0858cd481e22b2a7e4d/codegen/sdk-codegen/aws-models/cognito-identity-provider.json#L10390-L10432

we can see that smithy.api#optionalAuth: {} is defined, meaning that this operation does not require AWS credentials to succeed.

This's strange, that shouldn't be the case. Are you saying you are able to successfully call this client command with made-up AWS Credentials? What's the response? Can you share the output?

The output is a normal GetTokensFromRefreshTokensResponse.

Taking all of the above into consideration, I think that this API is meant to be similar to GetUser, i.e. does not need to use credentials but only a token provided by a Cognito authenticated user, and the solution is probably to just specify the smith.api#optionalAuth: {} in this command as well.