"Access token does not contain openid scope" in AWS Cognito

Question

I am running a working AWS Cognito service on a frontend application which can successfully do the basic stuff - login, logout, signup, etc..

Right now I am trying to get user attributes through the backend API, such that:

1) The user login in the application and gets a JWT.

2) The JWT is being sent to the backend server.

3) The server has to extract the email of the user by using the access token

The closest thing that I found to what I need is this Cognito service.

So I am making a GET request to "https://mydomain.auth.eu-central-1.amazoncognito.com/oauth2/userInfo" With Authorization Header as they are asking for, but I keep getting this response:

{ "error": "invalid_token", "error_description": "Access token does not contain openid scope" }

I have tried searching for this error but couldn't find any explanation about the error.

Thanks by advance

Answer 1

Erez, are you using a custom UI? Because the custom UI uses flows that are completely separated from the OAuth2 ones (USER_SRP_AUTH, USER_PASSWORD_AUTH). Tokens that are released with these flows are not OpenID Connect compliant (basically they don't contain the openid scope) so you cannot use them to gather user infos (since the userinfo endpoint is OpenID Connect compliant and needs to be invoked with jwts compliant with OIDC standard). We're also struggling on that, i'm sorry.

Answer 2

I had this exact problem and it was my fault. I was sending the id_token instead of access_token property of the token.
I program in PHP, so I was sending as header "Authorization: Bearer ".$token->id_token instead of "Authorization: Bearer ".$token->access_token. Now it works.

Hope it helps you or someone.