0

I am using Authorization code grant to create a new cognito user object, but got invalid_request as response. I have got code and state from redirected url but cannot get id,access and refresh tokens to create a cognito user.

I am getting code from cognito successfully in url like so:

http://localhost:3000/login-google?code=xxx-xxx-xxx-xxx-xxxxx&state=xxxxxxx

const AUTH_DOMAIN = 'https://xxx.auth.us-east-1.amazoncognito.com';
const grantType = 'authorization_code';
const clientId = 'xxx'; 
const clientSecret = 'xxxx',
const redirectUri = `${window.location.origin}/login-google`; 
    axios
  .post(
    `${AUTH_DOMAIN}/oauth2/token`,

    new URLSearchParams({
      grant_type: grantType,
      code: code,
      state: state,
      client_id: clientId,
      redirect_uri: redirectUri
    }),
    {
      headers: {
        'Content-Type': 'application/x-www-form-urlencoded',
        Authorization: getBase64EncodedCredential(clientId, clientSecret)
      }
    }
  )
  .then((response) => {
    // handle success
    console.log(response.data);
  })
  .catch((error) => {
    // handle error
    console.error(error);
  });
  function getBase64EncodedCredential(cognitoAppId, cognitoAppSecret) {
return 'Basic ' + btoaImplementation(cognitoAppId + ':' + cognitoAppSecret);
}
 function btoaImplementation(str) {
  try {
  return btoa(str);
  } catch (err) {
  return Buffer.from(str).toString('base64'); //btoa is not implemented in node.js.
 }
}

I have pre-toke lambda function but i think it does not affect it, since i got same error when i remove it.

I have look through this post and this post but could not able to find a solution.

"aws-amplify": "^5.0.17",
"amazon-cognito-identity-js": "^6.1.2",
"react": "^18.2.0",
irfan
  • 31
  • 5

1 Answers1

0

You should add the authorization request you are sending to the question, and also the error response. In axios, also send this header, and avoid sending the client_id in the POST body:

'content-type': 'application/x-www-form-urlencoded',

If you sent a code_challenge on the authorization request you need to send a code_verifier in the POST request.

Out of interest, this code of mine has some working axios / cognito requests. You should be able to get it working based on that.

Gary Archer
  • 22,534
  • 2
  • 12
  • 24
  • normally i have added ```'content-type': 'application/x-www-form-urlencoded',``` but forgot to add here. but still same error. and are you sending client_secret in your request parameter? Cognito says it wants Authorization in header as encoded. Yet i am getting invalid_reqeust with your implementatiton. – irfan Apr 28 '23 at 14:17
  • i have been using your implementation but no success. because token endpoint requires authorization in header. i could not see this in your code but sending client secret in request body. @Gary – irfan May 13 '23 at 09:41
  • You can send the client_id and client_secret in either the authorization header (auth_method=client_secret_basic) or the POST body (auth_method=client_secret_post). You should do one or the other though - not both. Also you should post an example of the sull request URL you are using (getAuthorizationRequestUri in my code), since a mismatch, eg in the redirect_uri, might explain the failure. – Gary Archer May 14 '23 at 07:27