I am working on an AWS Cognito Authentication solution for my website. I have had the initial code working for some time and now I want to add the ability for a user to see their email and other user properties on my site and be able to update them.
First step is just to retrieve the user email, etc.
I have done this previously with the AWS SDK v3 for javascript from the client side, but this requires that I have my access_token on the client side. So, I investigated retrieving the userInfo from the userInfo endpoint with curl. That works, but doesn't send back given_name (I got given_name when calling from javascript, no I am not missing openid scope).
Now I am trying to use the AWS SDK for PHP v3. I have the following code:
require 'aws.phar';
use Aws\CognitoIdentityProvider\CognitoIdentityProviderClient;
$userId = filter_input(INPUT_POST, "userId", FILTER_SANITIZE_FULL_SPECIAL_CHARS);
$uuid = filter_input(INPUT_POST, "uuid", FILTER_SANITIZE_FULL_SPECIAL_CHARS);
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
try {
// get the access token for the user and uuid
$conn = new mysqli($servername, $username, $password, $dbname);
$stmt = $conn->prepare("SELECT accessToken FROM userconnect WHERE userId = ? AND UUID = ?");
$stmt->bind_param("ss", $userId, $uuid);
$stmt->execute();
$output = $stmt->get_result();
if ($output->num_rows > 0){
$row = $output->fetch_assoc();
$accessToken = $row['accessToken'];
error_log($accessToken);
$client = new CognitoIdentityProviderClient([
'region' => 'us-east-1'
]);
$result = $client->getUser([
'AccessToken' => $accessToken
]);
echo json_encode($result);
$conn->close();
}
else {
$conn->close();
die ("loggedOut"); // user is not logged in anymore
}
}
catch (Exception $e){
$conn->close();
$error = "Error: Exception during retrieval of accessToken: ".$e->getMessage()." Line:".$e->getLine()."'".$e->getCode();
error_log($error);
die($error);
}
I first get the accessToken from the database, then send it into getUser. From the getUser call I am getting an exception: Error retrieving credentials from the instance profile metadata service. (cURL error 28: Connection timed out after 1000 milliseconds (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for http://.../latest/meta-data/iam/security-credentials/) Line:299'0".
I experimented earlier with DynamoDB and had that working through javascript, and I had to retrieve credentials to access dynamoDB. But, from what I have done on the javascript side, I did not need to retrieve credentials for a call to getUser. That works just with the access token.
It appears that just sending the access token to getUser in PHP does not work, though. So I am confused. Do I need to do something more before I call getUser when using PHP?
Any guidance would be helpful. This is the first call I have tried to make from php sdk to AWS. Authentication and tokens were retrieved just by using curl from php to invoke the token endpoint.
I have googled the error message I am getting along with the use of getUser, PHP, SDK, AWS, etc. I do not find a similar problem. In most cases people seem to have the problem when using dynamoDB or other services, where I understand credentials are required.
Is there anyone out there familiar with calling just the getUser method and what is required before invoking it from my php?