AWSCognito and AWSS3 "Invalid login token."

[MarcelHaldimann]

State your question

I'm trying to get AWS Cognito up and running here. We have been using Cognito for many years and used a very old library from the Objective-C library which no longer works. Maybe I'm just doing something wrong, or I don't understand something correctly.

Perhaps anyone can point me in the right direction.

In general, I would like to create temporary access credentials for the users in the app. The users are assigned a special authorisation which gives them access to certain functions in the S3.

We have implemented the ‘GetOpenIdTokenForDeveloperIdentity’ on our server. This works without any problems, we receive a correct response from Cognito with IdentityId and token.

{
   "IdentityId": "string",
   "Token": "string"
}

https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdTokenForDeveloperIdentity.html

The ‘documentation’ now states that we have to implement our own IdentityProvider.

https://docs.aws.amazon.com/cognito/latest/developerguide/developer-authenticated-identities.html

I have done this and return the - (AWSTask <NSString*> *) token { my token which I receive from our backend.

- (AWSTask <NSString*> *) token {

    // My Backend implementation to get the token. 

    // Set the identity id and return the token
    self.identityId = response.identityId;
    return [AWSTask taskWithResult:response.token];
}

The rest is implemented like this:

    // this is a AWSCognitoCredentialsProviderHelper with the `token` method imeplementation
    ILPS3IdentityProvider *ilpIdentityProvider = [[ILPS3IdentityProvider alloc]
                                                  initWithRegionType: self.cognitoRegion
                                                  identityPoolId: self.apiKey // apiKey bad naming of var. it is: *-*-1:*-ddf0-*-9f8c-*
                                                  useEnhancedFlow:NO
                                                  identityProviderManager: nil ];
   
    
    self.ilpCredentialsProvider = [[AWSCognitoCredentialsProvider alloc]
                                                          initWithRegionType: self.cognitoRegion
                                                          identityPoolId: self.apiKey
                                                          unauthRoleArn: nil
                                                          authRoleArn: self.awsRole
                                                          identityProviderManager: ilpIdentityProvider];

I then instantiated an AWSS3TransferUtility:

    AWSServiceConfiguration *configuration = [[[AWSServiceConfiguration alloc] initWithRegion:self.s3Region credentialsProvider:     ilpCredentialsProvider] autorelease];
    
    AWSServiceManager.defaultServiceManager.defaultServiceConfiguration = configuration;
    
    [AWSS3 registerS3WithConfiguration: configuration forKey: S3_SERVICE_KEY];
    [AWSS3TransferUtility registerS3TransferUtilityWithConfiguration: configuration forKey: S3_SERVICE_KEY];
    
    self.transferManager = [AWSS3TransferUtility S3TransferUtilityForKey: S3_SERVICE_KEY];

And if we now try to upload something to the cloud with the AWSS3TransferUtility, the following error messages appear:

[AWSConnector] Could not retrieve CognitoIdentity: Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "(null)" UserInfo={__type=NotAuthorizedException, message=Invalid login token. Can't pass in a Cognito token.}

Error fetching credentials: Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "(null)" UserInfo={__type=NotAuthorizedException, message=Invalid login token. Can't pass in a Cognito token.}

Somehow I have the feeling that I have to log in again with the token to ‘cognito-identity.amazonaws.com’ with the token? Could that be? If so, can someone show me an example or a part of the documentation?

Which AWS Services are you utilizing?

AWSCognito
AWSS3

Environment(please complete the following information):

• SDK Version: 2.37.2
• Dependency Manager: Non, XCFramework setup
• Swift Version : Objective-C

Device Information (please complete the following information):

• Device: Simulator
• iOS Version: iOS 17.5 and 18.0
• Specific to simulators: iPad Pro 13" M4

I have done my best to find my way around the documentary but unfortunately it still doesn't work.

Thank you very much
Marcel

[harsh62]

@MarcelHaldimann Would you be able to share verbose logs of the issue.

Verbose logging can be enabled using the following code. This would help us determine where the problem possibly could be.

            AWSDDLog.sharedInstance.add(AWSDDTTYLogger())
            AWSDDLog.sharedInstance.logLevel = .verbose

[ruisebas]

Hey @MarcelHaldimann , it seems you're using the wrong initializer for AWSCognitoCredentialsProvider, which results in your custom identity provider being wrapped inside another AWSCognitoCredentialsProviderHelper instance and leading to unexpected behaviour.

Instead, you should just use AWSCognitoCredentialsProvider initWithRegionType:identityProvider:.

self.ilpCredentialsProvider = [[AWSCognitoCredentialsProvider alloc] initWithRegionType: self.cognitoRegion
                                                                       identityProvider: ilpIdentityProvider];

Give it a try and if it still doesn't work, please provide the verbose logs as requested above.

Thanks!

[MarcelHaldimann]

@ruisebas @harsh62

Thank you for your feedback. As soon as I have time I will test it and provide the logs!

[MarcelHaldimann]

@ruisebas @harsh62

I tested it this week. At first glance, it now seems to work. I will close the issue. If I run into problems I will open it again or create a new one.

Many thanks!

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.