AWS Cognito TOKEN Endpoint giving a 400 Bad Request error "unauthorized_client"

Question

Following the documentation from https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html after successfully retrieving an authentication code.

As far as I can tell this is exactly how the request is supposed to be setup:

import request from 'request'

function fetchToken(code: any, clientId: string, clientSecret: string) {
  try {
    let tokenEndpoint = `https://example.auth.us-east-1.amazoncognito.com/oauth2/token`
    const clientIdEncoded = Buffer.from(`${clientId}:${clientSecret}`).toString('base64')

    request.post({
      url:tokenEndpoint,
      headers: {
        'Content-Type':'application/x-www-form-urlencoded',
        'Authorization':`Basic ${clientIdEncoded}`
      },
      form: {
        code,
        'grant_type':'authorization_code',
        'client_id':clientId,
        'redirect_uri':'http://localhost:3000'
      }},
      function(err,httpResponse,body){
        console.log(httpResponse.statusCode)
        //400
        console.log(httpResponse.statusMessage)
        //Bad Request
        if(err) {
          console.error(err)
        }

        console.log(body)
        //{"error":"unauthorized_client"}
      })
  } catch (error) {
    console.error(error)
  }
}

Why would be getting unauthorized_client? Is there an easier way to debug this?

Edit: tested this in Postman with the same request and getting the same error

Headers Body

Answer 1

Please check if the Cognito User Pool App is using secret key. If you have created with secret key option, that must be included in the Authorization header of the request.