Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

TOKEN endpoint returns invalid_client without client secret

I am having difficulty with the authorization code flow in Amazon Cognito. The workflow that I am trying to build is the following:

  1. A user authenticates with the built-in Cognito UI.
  2. Cognito redirects back with the authorization code.
  3. I send the code to server where it's exchanged for tokens using /oauth2/token endpoint.

I have created a client without client secret. I authenticate using the Cognito UI, get back the code, then send the following with Postman:

URL: https://MY-DOMAIN/oauth2/token
Method: POST
Headers: 
Content-Type: application/x-www-form-urlencoded
Body:
  grant_type=authorization_code&
  client_id=<my-client-id>&
  code=<code-from-cognito-ui>&
  redirect_uri=<my-redirect-url>

I do not use Authorization since there's no client secret.

In return I receive:

Code: 400
Body: { "error": "invalid_client" }

The app client is allowed authorization code grant in the AWS Cognito console.

like image 676
Anton Baranenko Avatar asked Feb 07 '19 16:02

Anton Baranenko


People also ask

How do I get my Cognito access token authorization code?

Grant type. Must be authorization_code or refresh_token or client_credentials . You can request an access token for a custom scope from the token endpoint when, in the app client, the requested scope is enabled, you have configured a client secret, and you have allowed client_credentials grants. Required.

What is token end point?

A request to the token endpoint is used to exchange an authorization code for an access token. Requests to the token endpoint are authenticated using client credentials through either basic authentication or by including them as post parameters depending on the clients configuration.

How long do Cognito access tokens last?

Access tokens can be configured to expire in as little as five minutes or as long as 24 hours. Refresh tokens can be configured to expire in as little as one hour or as long as ten years. These customizations enable Amazon Cognito customers to balance the security and usability of each application they develop.


2 Answers

This is not seem to be mentioned anywhere in the docs though, If you have created the client app with client_secret you should add the client_secret to the params for it to work.

curl -X POST \
'https://<Cognito User Pool Domain>/oauth2/token?
grant_type=authorization_code&
code=8a24d2df-07b9-41e1-bb5c-c269e87838df&
redirect_uri=http://localhost&
client_secret=xcxxxs2r234XXXXXX&
client_id=55pb79dl8gm0i1ho9hdrXXXXXX' \
-H 'Accept-Encoding: gzip, deflate' \
-H 'Content-Type: application/x-www-form-urlencoded'

Or you need to create the app with "generate client_secret" = false. Also By default, user pools generates a client secret for your app.

like image 97
YasirAzgar Avatar answered Sep 21 '22 10:09

YasirAzgar


The problem is with Authorization header.

When using client without client secret Authorization header is not required.

Example:

curl -X POST \
'https://<Cognito User Pool Domain>/oauth2/token?
grant_type=authorization_code&
code=8a24d2df-07b9-41e1-bb5c-c269e87838df&
redirect_uri=http://localhost&
client_id=55pb79dl8gm0i1ho9hdrXXXXXX&scope=openid+email' \
-H 'Accept-Encoding: gzip, deflate' \
-H 'Content-Type: application/x-www-form-urlencoded'
like image 39
Ashish Kumar Avatar answered Sep 17 '22 10:09

Ashish Kumar