AWS Cognito + RubyOnRails get user info on the backend. Aws::CognitoIdentityProvider::Errors::NotAuthorizedException

Question

I should integrate cognito + ruby on rails.

My user logined with cognito default login page and redirected with url params to my page.

https://development-my-site.auth.us-west-2.amazoncognito.com/oauth2/authorize?client_id=62i222222222222&redirect_uri=https://c3ffec02.ngrok.io/auth/cognito/callback&response_type=token&scope=email+openid+profile

After redirect I have params

id_token=eyJraWQiOiIyYThzTzY3........
&access_token=eyJraWQiOiJDa0I2NGJsUFJKTWZrNGlV.....
&expires_in=3600
&token_type=Bearer

I should get access_token from url and pass to backend for user verification.

In the backend I use AWS-SDK ```

  def client
    @client ||= Aws::CognitoIdentityProvider::Client.new(region: options.aws_region)
  end

  def get_user_info(params)
    client.get_user(access_token: params['access_token'])
  end

```

But in the result I have error Aws::CognitoIdentityProvider::Errors::NotAuthorizedException (Access Token does not have required scopes):

What I should do for get user info?

score 9 · Accepted Answer · answered Sep 27 '17 at 15:18

You need to add the scope aws.cognito.signin.user.admin to your query:

    https://development-my-site.auth.us-west-2.amazoncognito.com/oauth2/authorize?
client_id=62i222222222222
    &redirect_uri=https://c3ffec02.ngrok.io/auth/cognito/callback
    &response_type=token
    &scope=email+openid+profile+aws.cognito.signin.user.admin

and allow it in the cognito console under Allowed OAuth Scopes

AWS Cognito + RubyOnRails get user info on the backend. Aws::CognitoIdentityProvider::Errors::NotAuthorizedException

1 Answers1