Authorize client app with secret key

[yottachen]

Hi,

Background I created a user pool in Cognito, and also created two client apps. The first client app was created without generating secret key. The other client app was created with secret key.

When I sent GET request to authorize my first client app, which does not have secret key. https://mydomain.auth.eu-central-1.amazoncognito.com/oauth2/authorize?response_type=code&client_id=XX_FIRST_CLIENT_ID_XX&redirect_uri=https%3A%2F%2Fwww.example.com

It redirects to the login page, which works as I expect.

The Problem But when I sent GET request to authorize my second client app, which does have secret key. https://mydomain.auth.eu-central-1.amazoncognito.com/oauth2/authorize?response_type=code&client_id=XX_SECOND_CLIENT_ID_XX&redirect_uri=https%3A%2F%2Fwww.example.com

It redirects to the error page(https://mydomain.auth.eu-central-1.amazoncognito.com/error?error=invalid_request) with 400 code.

What I tried The only difference between two client apps is the secret key.

Option 1> So I tried to add the secret key as the parameter in the link. i.e. https://mydomain.auth.eu-central-1.amazoncognito.com/oauth2/authorize?response_type=code&client_id=XX_SECOND_CLIENT_ID_XX&client_secret=XX_SECRET_KEY_XX&redirect_uri=https%3A%2F%2Fwww.example.com

It raised the same error.

Option 2> I also tried to add client_secret in the authorization header through Basic HTTP authorization. It also failed.

This document(https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html) does not mention about secret key. So I couldn't find any document to say how to do authorization for those client apps with secret key.

Can someone help about it?

Thanks in advance

[yottachen]

Oh, I resolved the problem. The point is that I did not configure the callback url in app client setting tab in AWS Cognito console for second client.