2

I got this issue while trying to fetch user attributes from AWS Cognito.

I can't tell how it can be an "Invalid Token" because I have copied and pasted it, also I have make sure that it's the accessToken not idToken or anything else.

There are some other similar questions on this site but they don't address my issue:

"Access token does not contain openid scope" in AWS Cognito

Access token does not have the openid scope

Update: here my app client config

enter image description here

Lê Quang Bảo
  • 2,670
  • 2
  • 27
  • 40

2 Answers2

5

OK, I got you detail.

Short answer: You must use oauth2 Cognito authentication instead of using default Cognito authentication API in SDK.

Let me explain why you meet error: You're using Cognito authentication, then Cognito return to you an "access token" that not contains "openid" scope, you can paste the Token here to check: https://jwt.io/#encoded-jwt.

You have to use oauth2 authentication to get the "access token" that contains "openid". In order to do it, you have to use Hosted UI or AUTHORIZATION Endpoint to get the "access token".

You can try Hosted UI by access link (pls edit your domain + response_type + client_id + redirect_uri): https://tsunami.auth.us-east-2.amazoncognito.com/login?response_type=code&client_id=CLIENT_ID&redirect_uri=CALLBACK_SIGNIN_URL

You can use AUTHORIZATION Endpoint: https://tsunami.auth.us-east-2.amazoncognito.com/oauth2/authorize?response_type=code&client_id=CLIENT_ID&redirect_uri=CALLBACK_SIGNIN_URL&identity_provider=COGNITO and it will redirect to Hosted UI

Phan Việt
  • 1,253
  • 11
  • 11
  • I got a `redirect_mismatch` error using the Authorization Endpoint. Here my url: https://tsunami.auth.us-east-2.amazoncognito.com/oauth2/authorize?response_type=code&client_id=jb6hkb09vv90b48bbpe85p11t&redirect_uri=http://localhost:4200/pages/dashboard&identity_provider=COGNITO – Lê Quang Bảo Jan 09 '20 at 04:47
  • @LêQuangBảo As your screenshots, the CLIENT ID should be "522j...", not "jb6hkb09vv90b48bbpe85p11t". So the rediect uri: "http://localhost:4200/pages/dashboard" doesn't match. Please help check your url built be matched with App Client Setting. – Phan Việt Jan 09 '20 at 04:52
  • 2
    I am using custom UI instead of hosted UI and Auth api from aws amplify. Returned access token doesn't have openid scope. Is it fixable? or desired behaviour when we are not using hosted UI – Kunal Valecha Dec 04 '20 at 15:24
  • It seems still to be not fixed: https://github.com/aws-amplify/aws-sdk-android/issues/684 – Andreas Dec 07 '21 at 05:37
1

Getting user info is an open id connect feature and requires the openid scope in the token.

I suspect the problem originates from not specifying this scope when you authenticated and got the token.

Usually you configure scopes such as these when authenticating:

  • openid profile email

You also provide these in the OAuth Client trust entry configured in Cognito

  • The profile scope enables you to get the user name from the user info endpoint
  • The email scope enables you to get the email from the user info endpoint

See step 9 of my write up for an example

Gary Archer
  • 22,534
  • 2
  • 12
  • 24
  • It depends also on the library you are using to get a token. From a previous post I seem to remember that some of the AWS specific libraries do not allow you to specify scopes when authenticating. If so I would ditch them and move to a standards based library. – Gary Archer Jan 08 '20 at 19:26
  • 1
    I am getting the token by `amazon-cognito-identity-js`, how can I specify a scope in my authenticate request? – Lê Quang Bảo Jan 09 '20 at 04:10
  • @LêQuangBảo Use Hosted UI or AUTHORIZATION Endpoint to OAuth2 and request scopes with Cognito User Pool as Provder. – Phan Việt Jan 09 '20 at 04:36