I am having difficulty with the authorization code flow in Amazon Cognito. The workflow that I am trying to build is the following:
I have created a client without client secret. I authenticate using the Cognito UI, get back the code, then send the following with Postman:
URL: https://MY-DOMAIN/oauth2/token
Method: POST
Headers:
Content-Type: application/x-www-form-urlencoded
Body:
grant_type=authorization_code&
client_id=<my-client-id>&
code=<code-from-cognito-ui>&
redirect_uri=<my-redirect-url>
I do not use Authorization since there's no client secret.
In return I receive:
Code: 400
Body: { "error": "invalid_client" }
The app client is allowed authorization code grant in the AWS Cognito console.
Grant type. Must be authorization_code or refresh_token or client_credentials . You can request an access token for a custom scope from the token endpoint when, in the app client, the requested scope is enabled, you have configured a client secret, and you have allowed client_credentials grants. Required.
A request to the token endpoint is used to exchange an authorization code for an access token. Requests to the token endpoint are authenticated using client credentials through either basic authentication or by including them as post parameters depending on the clients configuration.
Access tokens can be configured to expire in as little as five minutes or as long as 24 hours. Refresh tokens can be configured to expire in as little as one hour or as long as ten years. These customizations enable Amazon Cognito customers to balance the security and usability of each application they develop.
This is not seem to be mentioned anywhere in the docs though, If you have created the client app with client_secret you should add the client_secret to the params for it to work.
curl -X POST \
'https://<Cognito User Pool Domain>/oauth2/token?
grant_type=authorization_code&
code=8a24d2df-07b9-41e1-bb5c-c269e87838df&
redirect_uri=http://localhost&
client_secret=xcxxxs2r234XXXXXX&
client_id=55pb79dl8gm0i1ho9hdrXXXXXX' \
-H 'Accept-Encoding: gzip, deflate' \
-H 'Content-Type: application/x-www-form-urlencoded'
Or you need to create the app with "generate client_secret" = false. Also By default, user pools generates a client secret for your app.
The problem is with Authorization header.
When using client without client secret Authorization header is not required.
Example:
curl -X POST \
'https://<Cognito User Pool Domain>/oauth2/token?
grant_type=authorization_code&
code=8a24d2df-07b9-41e1-bb5c-c269e87838df&
redirect_uri=http://localhost&
client_id=55pb79dl8gm0i1ho9hdrXXXXXX&scope=openid+email' \
-H 'Accept-Encoding: gzip, deflate' \
-H 'Content-Type: application/x-www-form-urlencoded'
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With