7

I am running a working AWS Cognito service on a frontend application which can successfully do the basic stuff - login, logout, signup, etc..

Right now I am trying to get user attributes through the backend API, such that:

1) The user login in the application and gets a JWT.

2) The JWT is being sent to the backend server.

3) The server has to extract the email of the user by using the access token

The closest thing that I found to what I need is this Cognito service.

So I am making a GET request to "https://mydomain.auth.eu-central-1.amazoncognito.com/oauth2/userInfo" With Authorization Header as they are asking for, but I keep getting this response:

{ "error": "invalid_token", "error_description": "Access token does not contain openid scope" }

I have tried searching for this error but couldn't find any explanation about the error.

Thanks by advance

Erez Shlomo
  • 2,124
  • 2
  • 14
  • 27

5 Answers5

8

Erez, are you using a custom UI? Because the custom UI uses flows that are completely separated from the OAuth2 ones (USER_SRP_AUTH, USER_PASSWORD_AUTH). Tokens that are released with these flows are not OpenID Connect compliant (basically they don't contain the openid scope) so you cannot use them to gather user infos (since the userinfo endpoint is OpenID Connect compliant and needs to be invoked with jwts compliant with OIDC standard). We're also struggling on that, i'm sorry.

Reste85
  • 183
  • 1
  • 8
  • 1
    We wrote to AWS support and they gave us a script that basically performs the OAuth2 authorization code flow via script. So at the time of my previous write (April 18), this was a known issue and the only workaround to obtain an OpenID token was to perform the authorization code flow in an "hidden" style. For our use cases and our needs we decided to switch to another IAM. – Reste85 Sep 25 '19 at 07:21
  • Sorry but i can't. It was a matter of following the authorization code flow via script, parsing the HTML returned by the various responses. I'm sorry – Reste85 Feb 03 '20 at 19:30
5

I had this exact problem and it was my fault. I was sending the id_token instead of access_token property of the token.
I program in PHP, so I was sending as header "Authorization: Bearer ".$token->id_token instead of "Authorization: Bearer ".$token->access_token. Now it works.

Hope it helps you or someone.

barbsan
  • 3,418
  • 11
  • 21
  • 28
strgtasa
  • 74
  • 1
  • 2
  • I had all 3 tokens when i was playing with it today via REST calls and had the same issue. Reading this, made me double check and i was doing the same mistake :) – curiousengineer May 28 '19 at 04:30
1

I am still experiencing the same issue. My problem relies on programmatic use of signIn service (not Hosted UI via federated login) in Amplify framework. After a long googling, I have discovered that this is because "openid" is not including in the scope of token. Only "aws.cognito.signin.user.admin" is included.

You can find a reference here, thread is still open https://github.com/aws-amplify/amplify-js/issues/3732

This solution seems to be fine for me How to verify JWT from AWS Cognito in the API backend?

Elmatsidis Paul
  • 385
  • 1
  • 7
  • 19
0

If I understand correctly, you are successfully getting the #id_token sent to your front end from Cognito (steps 1-3). You can enable scopes on the #id_token by selecting the following options in your Cognito Pool App Client Settings:

enter image description here

KiteCoder
  • 2,364
  • 1
  • 13
  • 29
0

I had a similar issue and I spent a couple of hours to find a solution. The access token you received it from cognito in your frontend application you need to send it to your backend then decode it and verify it. here is a good documentation from aws: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html

user310786
  • 1