Closed yottachen closed 6 years ago
Hi,
Background I created a user pool in Cognito, and also created two client apps. The first client app was created without generating secret key. The other client app was created with secret key.
When I sent GET request to authorize my first client app, which does not have secret key. https://mydomain.auth.eu-central-1.amazoncognito.com/oauth2/authorize?response_type=code&client_id=XX_FIRST_CLIENT_ID_XX&redirect_uri=https%3A%2F%2Fwww.example.com
It redirects to the login page, which works as I expect.
The Problem But when I sent GET request to authorize my second client app, which does have secret key. https://mydomain.auth.eu-central-1.amazoncognito.com/oauth2/authorize?response_type=code&client_id=XX_SECOND_CLIENT_ID_XX&redirect_uri=https%3A%2F%2Fwww.example.com
It redirects to the error page(https://mydomain.auth.eu-central-1.amazoncognito.com/error?error=invalid_request) with 400 code.
What I tried The only difference between two client apps is the secret key.
Option 1> So I tried to add the secret key as the parameter in the link. i.e. https://mydomain.auth.eu-central-1.amazoncognito.com/oauth2/authorize?response_type=code&client_id=XX_SECOND_CLIENT_ID_XX&client_secret=XX_SECRET_KEY_XX&redirect_uri=https%3A%2F%2Fwww.example.com
It raised the same error.
Option 2> I also tried to add client_secret in the authorization header through Basic HTTP authorization. It also failed.
This document(https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html) does not mention about secret key. So I couldn't find any document to say how to do authorization for those client apps with secret key.
Can someone help about it?
Thanks in advance
Oh, I resolved the problem. The point is that I did not configure the callback url in app client setting tab in AWS Cognito console for second client.
Hi,
Background I created a user pool in Cognito, and also created two client apps. The first client app was created without generating secret key. The other client app was created with secret key.
When I sent GET request to authorize my first client app, which does not have secret key. https://mydomain.auth.eu-central-1.amazoncognito.com/oauth2/authorize?response_type=code&client_id=XX_FIRST_CLIENT_ID_XX&redirect_uri=https%3A%2F%2Fwww.example.com
It redirects to the login page, which works as I expect.
The Problem But when I sent GET request to authorize my second client app, which does have secret key. https://mydomain.auth.eu-central-1.amazoncognito.com/oauth2/authorize?response_type=code&client_id=XX_SECOND_CLIENT_ID_XX&redirect_uri=https%3A%2F%2Fwww.example.com
It redirects to the error page(https://mydomain.auth.eu-central-1.amazoncognito.com/error?error=invalid_request) with 400 code.
What I tried The only difference between two client apps is the secret key.
Option 1> So I tried to add the secret key as the parameter in the link. i.e. https://mydomain.auth.eu-central-1.amazoncognito.com/oauth2/authorize?response_type=code&client_id=XX_SECOND_CLIENT_ID_XX&client_secret=XX_SECRET_KEY_XX&redirect_uri=https%3A%2F%2Fwww.example.com
It raised the same error.
Option 2> I also tried to add client_secret in the authorization header through Basic HTTP authorization. It also failed.
This document(https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html) does not mention about secret key. So I couldn't find any document to say how to do authorization for those client apps with secret key.
Can someone help about it?
Thanks in advance