globalSignOut (with accessToken) in CognitoIdentityProviderClient is looking for IAM auth data #4074
Description
Describe the bug
Hi, I am trying to make graceful logout for Cognito userPool user with existing auth session using the code below:
CognitoIdentityProviderClient cognitoClient = CognitoIdentityProviderClient.builder()
.region(Region.of( "eu-central-1"))
.credentialsProvider(DefaultCredentialsProvider.create())
.build();
try {
GlobalSignOutRequest logoutRequest = GlobalSignOutRequest.builder()
.accessToken(sessionManager.getProperty("accessToken")) // set existing auth token
.build();
// calling the globalSignOut method on the client to log out the user
GlobalSignOutResponse logoutResponse = cognitoClient.globalSignOut(logoutRequest);
return 0;
} catch (NotAuthorizedException e) {
return output.handleCommandException(e, "Unable to logout because your session is not valid: " + e.getMessage());
} catch (Exception e) {
return output.handleCommandException(e, "Unable to logout gracefully due to some error: " + e.getMessage());
}Expected Behavior
I am expecting to catch the case when an accessToken has already expired to notify a user
I expect that the provided accessToken is used and only that, without trying to find other credentials in the system
Current Behavior
I currently receive multiple error messages:
2023-06-07 23:07:53,310 DEBUG [sof.ama.aws.cor.int.ExecutionInterceptorChain] (Quarkus Main Thread) Interceptor 'software.amazon.awssdk.services.cognitoidentityprovider.endpoints.internal.CognitoIdentityProviderEndpointAuthSchemeInterceptor@7721a9ae' modified the message with its modifyRequest method.
2023-06-07 23:07:53,319 DEBUG [sof.ama.aws.aut.cre.AwsCredentialsProviderChain] (Quarkus Main Thread) Unable to load credentials from SystemPropertyCredentialsProvider(): Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId).: software.amazon.awssdk.core.exception.SdkClientException: Unable to load credentials from system settings. Access key must be specified either via environment variable (AWS_ACCESS_KEY_ID) or system property (aws.accessKeyId).
at software.amazon.awssdk.core.exception.SdkClientException$BuilderImpl.build(SdkClientException.java:111)
at software.amazon.awssdk.auth.credentials.internal.SystemSettingsCredentialsProvider.resolveCredentials(SystemSettingsCredentialsProvider.java:58)
at software.amazon.awssdk.auth.credentials.AwsCredentialsProviderChain.resolveCredentials(AwsCredentialsProviderChain.java:96)
at software.amazon.awssdk.auth.credentials.internal.LazyAwsCredentialsProvider.resolveCredentials(LazyAwsCredentialsProvider.java:45)
at software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider.resolveCredentials(DefaultCredentialsProvider.java:128)
at software.amazon.awssdk.core.internal.util.MetricUtils.measureDuration(MetricUtils.java:50)
at software.amazon.awssdk.awscore.internal.authcontext.AwsCredentialsAuthorizationStrategy.resolveCredentials(AwsCredentialsAuthorizationStrategy.java:100)
at software.amazon.awssdk.awscore.internal.authcontext.AwsCredentialsAuthorizationStrategy.addCredentialsToExecutionAttributes(AwsCredentialsAuthorizationStrategy.java:77)
at software.amazon.awssdk.awscore.internal.AwsExecutionContextBuilder.invokeInterceptorsAndCreateExecutionContext(AwsExecutionContextBuilder.java:123)
at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.invokeInterceptorsAndCreateExecutionContext(AwsSyncClientHandler.java:69)
at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.lambda$execute$1(BaseSyncClientHandler.java:78)
at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.measureApiCallSuccess(BaseSyncClientHandler.java:179)
at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.execute(BaseSyncClientHandler.java:76)
at software.amazon.awssdk.core.client.handler.SdkSyncClientHandler.execute(SdkSyncClientHandler.java:45)
at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.execute(AwsSyncClientHandler.java:56)
at software.amazon.awssdk.services.cognitoidentityprovider.DefaultCognitoIdentityProviderClient.globalSignOut(DefaultCognitoIdentityProviderClient.java:5399)
at me.peerf.LogoutCommand.call(LogoutCommand.java:106)
which is followed by:
2023-06-07 23:07:53,347 DEBUG [sof.ama.aws.aut.cre.AwsCredentialsProviderChain] (Quarkus Main Thread) Unable to load credentials from ProfileCredentialsProvider(profileName=default, profileFile=ProfileFile(profilesAndSectionsMap=[])): Profile file contained no credentials for profile 'default': ProfileFile(profilesAndSectionsMap=[]): software.amazon.awssdk.core.exception.SdkClientException: Profile file contained no credentials for profile 'default': ProfileFile(profilesAndSectionsMap=[])
at software.amazon.awssdk.core.exception.SdkClientException$BuilderImpl.build(SdkClientException.java:111)
at software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider.lambda$createCredentialsProvider$2(ProfileCredentialsProvider.java:173)
at java.base/java.util.Optional.orElseThrow(Optional.java:408)
at software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider.createCredentialsProvider(ProfileCredentialsProvider.java:170)
at software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider.handleProfileFileReload(ProfileCredentialsProvider.java:135)
at software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider.resolveCredentials(ProfileCredentialsProvider.java:126)
at software.amazon.awssdk.auth.credentials.AwsCredentialsProviderChain.resolveCredentials(AwsCredentialsProviderChain.java:96)
at software.amazon.awssdk.auth.credentials.internal.LazyAwsCredentialsProvider.resolveCredentials(LazyAwsCredentialsProvider.java:45)
at software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider.resolveCredentials(DefaultCredentialsProvider.java:128)
at software.amazon.awssdk.core.internal.util.MetricUtils.measureDuration(MetricUtils.java:50)
at software.amazon.awssdk.awscore.internal.authcontext.AwsCredentialsAuthorizationStrategy.resolveCredentials(AwsCredentialsAuthorizationStrategy.java:100)
at software.amazon.awssdk.awscore.internal.authcontext.AwsCredentialsAuthorizationStrategy.addCredentialsToExecutionAttributes(AwsCredentialsAuthorizationStrategy.java:77)
at software.amazon.awssdk.awscore.internal.AwsExecutionContextBuilder.invokeInterceptorsAndCreateExecutionContext(AwsExecutionContextBuilder.java:123)
at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.invokeInterceptorsAndCreateExecutionContext(AwsSyncClientHandler.java:69)
at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.lambda$execute$1(BaseSyncClientHandler.java:78)
at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.measureApiCallSuccess(BaseSyncClientHandler.java:179)
at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.execute(BaseSyncClientHandler.java:76)
at software.amazon.awssdk.core.client.handler.SdkSyncClientHandler.execute(SdkSyncClientHandler.java:45)
at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.execute(AwsSyncClientHandler.java:56)
at software.amazon.awssdk.services.cognitoidentityprovider.DefaultCognitoIdentityProviderClient.globalSignOut(DefaultCognitoIdentityProviderClient.java:5399)
at me.peerf.LogoutCommand.call(LogoutCommand.java:106)
it looks like the SDK client is trying to load IAM credentials instead of userPool' ones..
Reproduction Steps
just repeat the given piece of code
Possible Solution
not found
Additional Information/Context
I am using quarkus 2.16.6.Final
AWS Java SDK version used
2.20.74
JDK version used
11.0.2 2019-01-15 LTS
Operating System and version
MACOS 13.4 (22F66)