0

I am working on an AWS Cognito Authentication solution for my website. I have had the initial code working for some time and now I want to add the ability for a user to see their email and other user properties on my site and be able to update them.

First step is just to retrieve the user email, etc.

I have done this previously with the AWS SDK v3 for javascript from the client side, but this requires that I have my access_token on the client side. So, I investigated retrieving the userInfo from the userInfo endpoint with curl. That works, but doesn't send back given_name (I got given_name when calling from javascript, no I am not missing openid scope).

Now I am trying to use the AWS SDK for PHP v3. I have the following code:


    require 'aws.phar';
    use Aws\CognitoIdentityProvider\CognitoIdentityProviderClient;

    $userId = filter_input(INPUT_POST, "userId", FILTER_SANITIZE_FULL_SPECIAL_CHARS);
    $uuid = filter_input(INPUT_POST, "uuid", FILTER_SANITIZE_FULL_SPECIAL_CHARS);

    mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
    try {
        // get the access token for the user and uuid
        $conn = new mysqli($servername, $username, $password, $dbname);

         $stmt = $conn->prepare("SELECT accessToken FROM userconnect WHERE userId = ? AND UUID = ?");
         $stmt->bind_param("ss", $userId, $uuid);
         $stmt->execute();
         $output = $stmt->get_result();
         if ($output->num_rows > 0){
             $row = $output->fetch_assoc();
             $accessToken = $row['accessToken'];
             error_log($accessToken);

             $client = new CognitoIdentityProviderClient([
                 'region' => 'us-east-1'

             ]);
             $result = $client->getUser([
                 'AccessToken' => $accessToken
             ]);
             echo json_encode($result);
             $conn->close();
         }
         else {
             $conn->close();
             die ("loggedOut"); // user is not logged in anymore
         }
     }
     catch (Exception $e){
        $conn->close();
        $error = "Error: Exception during retrieval of accessToken: ".$e->getMessage()." Line:".$e->getLine()."'".$e->getCode();
        error_log($error);
        die($error);
     }

I first get the accessToken from the database, then send it into getUser. From the getUser call I am getting an exception: Error retrieving credentials from the instance profile metadata service. (cURL error 28: Connection timed out after 1000 milliseconds (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for http://.../latest/meta-data/iam/security-credentials/) Line:299'0".

I experimented earlier with DynamoDB and had that working through javascript, and I had to retrieve credentials to access dynamoDB. But, from what I have done on the javascript side, I did not need to retrieve credentials for a call to getUser. That works just with the access token.

It appears that just sending the access token to getUser in PHP does not work, though. So I am confused. Do I need to do something more before I call getUser when using PHP?

Any guidance would be helpful. This is the first call I have tried to make from php sdk to AWS. Authentication and tokens were retrieved just by using curl from php to invoke the token endpoint.

I have googled the error message I am getting along with the use of getUser, PHP, SDK, AWS, etc. I do not find a similar problem. In most cases people seem to have the problem when using dynamoDB or other services, where I understand credentials are required.

Is there anyone out there familiar with calling just the getUser method and what is required before invoking it from my php?

Improve this question
1
  • I found here: stackoverflow.com/questions/27400563/…, the suggestion to add credentials to the object passed to the client constructor. This contains key and secret. With those in place, I now get an error "Error executing "GetUser" on "cognito-idp.us-east-1.amazonaws.com"; AWS HTTP error: cURL error 60: SSL certificate problem: unable to get local issuer certificate" which I assume is because I am coming from a http:// localhost environment.
    – aff
    Commented Jul 10 at 19:06

1 Answer 1

Reset to default
0

So far I have modified the client constructor to be:

             $client = new CognitoIdentityProviderClient([
             'region' => 'us-east-1',
             'version' => 'latest',
             'credentials' => array(
                 'key' => $clientId,
                 'secret' => $client_secret
                 )
         ]);

That gets past the first error, then error "Error executing "GetUser" on "https://cognito-idp.us-east-1.amazonaws.com"; AWS HTTP error: cURL error 60: SSL certificate problem: unable to get local issuer certificate " is occurring.

Apparently, "credentials" in this case means client id and client secret, rather than the "credentials" needed for something like dynamodb.

To get around the localhost problem I looked for something similar to:

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // remove when running from real website

that I used to get around the problem for my curl calls.

Here: SSL verify seting I found I could add a bit to the client input again:

             $client = new CognitoIdentityProviderClient([
             'region' => 'us-east-1',
             'version' => 'latest',
             'http' => array(
                'verify' => false
             ),
             'credentials' => array(
                 'key' => $clientId,
                 'secret' => $client_secret
                 )
         ]);

Now, when I run, I get no error messages. It looks like it is working. I am seeing data on the php side, just need to get it out of the structure correctly. And, it returned "given_name" where the curl call to the userInfo endpoint did not.

Changed the end of the php to:

         $attributes =  $result->get("UserAttributes");
         echo json_encode($attributes);
Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.