search

amazon-archives / amazon-cognito-auth-js

The Amazon Cognito Auth SDK for JavaScript simplifies adding sign-up, sign-in with user profile functionality to web apps.
Apache License 2.0
424 stars 232 forks source link

Authorize Code Grant didn't work with Invalid_Client exception #206

Open asengupta28 opened 4 years ago

asengupta28 commented 4 years ago

I tried the same steps advised by "yuntuowang" "on Dec 8, 2017" as below with AWS inherent ID provision and Fed identity with Facebook and Google. All failed with {"error":"invalid_client"} exception.

create a app client without client secret in Cognito User Pool, and enable Google as an identity provider and enable code grant flow

Go to the hosted UI (/oauth2/authorize?response_type=code&client_id=****&redirect_uri=https://www.amazon.com), and click "log in with Google", I get redirected to amazon website. In the callback url, I get the code.

Go to postman, [***** This part I fired with CURL on windows command-prompt, the full command below-] CURL -X POST -H "Content-Type=application/x-www-form-urlencoded" -d "grant_type=authorization_code&client_id=&code=&redirect_uri=" https://.auth.us-east-1.amazoncognito.com/oauth2/token

make a post request: URL is: /oauth2/token Header: [{"key":"Content-Type","value":"application/x-www-form-urlencoded"}]

Body: remember to select x-www-form-urlencoded: and put the following, [{"key":"grant_type","value":"authorization_code"},{"key":"client_id","value":""},{"key":"redirect_uri","value":"https://www.amazon.com"},{"key":"code","value":""}] Then click send request, you will get id_token, access_token and refresh_token.

asengupta28 commented 4 years ago

Quite astonishingly, I read other forums and came to know recent problems with AWS Cognito. So, changed my region from east-1 to west-2 and repeated all steps- create Cognito User Pool with Fed sign from Google, create API and add Cognito Auth to that and then the problem was altogether a very different-

{"message":"Authorization header requires 'Credential' parameter. Authorization header requires 'Signature' parameter. Authorization header requires 'SignedHeaders' parameter. Authorization header requires existence of either a 'X-Amz-Date' or a 'Date' header. Authorization=eyJraWQiOiJWeG9IU...............................

lakshmisivareddy commented 4 years ago

Hi i am also facing the same error Error: {"error":"invalid_client"} application is tring to get the token Request URL: https://<!domain!>.auth.us-east-2.amazoncognito.com/oauth2/token with below headers grant_type: authorization_code client_id: <!cliecntid!> redirect_uri: http://localhost:4200/devices code: 8ae65c60-ebd7-41e4-b742-009356327c10

my understanding the response state code was 400 Request Method: POST Status Code: 400 Bad Request

from aws documentation identified app is not setting client_secret as a part of it's request invalid_client Client authentication failed. For example, when the client includes client_id and client_secret in the authorization header, but there's no such client with that client_id and client_secret.

if i set client_secret in postman i am able to get the tokens how to set client secret in CognitoAuth code ?

iamgbayer commented 4 years ago

@lakshmisivareddy I have the same problem with invalid_client, did you solve this?

azadbolour commented 4 years ago

I am also getting invalid_client and don't know why.

I have gotten this error immediately after an attempted login, and also just before an attempted login. I think the fact that I got to the hosted signin screen in my first attempt at login is evidence that my client id is valid. After that first attempt, however, I keep getting this error before reaching the signin screen. See below for details.

My app uses the sample code provided in "OAuth and Hosted UI" part of the documentation (but for a lower-level component than App):

https://aws-amplify.github.io/docs/js/authentication#oauth-and-federation-overview

I am just doing basic hosted authentication (no federation yet), and I am testing from localhost:3000.

Any ideas how to troubleshoot this issue?

Many thanks.

Azad

log messages from my code:

auth response - data.payload: {"event":"signIn_failure","data":{},"message":"The OAuth response flow failed"} main.chunk.js:2327

auth response - data.payload: {"event":"cognitoHostedUI_failure","data":{},"message":"A failure occurred when returning to the Cognito Hosted UI"} main.chunk.js:2327

auth response - data.payload: {"event":"customState_failure","data":{},"message":"A failure occurred when returning state"}

the error report:

[ERROR] 29:44.206 OAuth - Error handling auth response. Error: invalid_client at OAuth. (:3000/static/js/0.chunk.js:9055) at step (:3000/static/js/0.chunk.js:8896) at Object.next (:3000/static/js/0.chunk.js:8827) at fulfilled (:3000/static/js/0.chunk.js:8781)

console. @ index.js:1375 r @ backend.js:6 ConsoleLogger._log @ ConsoleLogger.js:114 ConsoleLogger.error @ ConsoleLogger.js:185 (anonymous) @ OAuth.js:422 step @ OAuth.js:152 (anonymous) @ OAuth.js:83 rejected @ OAuth.js:45 Promise.then (async)
step @ OAuth.js:52 (anonymous) @ OAuth.js:55 push../node_modules/@aws-amplify/auth/lib-esm/OAuth/OAuth.js.awaiter @ OAuth.js:34 OAuth.handleAuthResponse @ OAuth.js:358 (anonymous) @ Auth.js:2244 step @ Auth.js:138 (anonymous) @ Auth.js:69 (anonymous) @ Auth.js:41 push../node_modules/@aws-amplify/auth/lib-esm/Auth.js.__awaiter @ Auth.js:20 AuthClass._handleAuthResponse @ Auth.js:2208 (anonymous) @ Auth.js:319 (anonymous) @ urlListener.js:17 AuthClass.configure @ Auth.js:316 (anonymous) @ Amplify.js:29 Amplify.configure @ Amplify.js:28 ./src/App.js @ App.js:20 webpack_require @ bootstrap:785 fn @ bootstrap:150 ./src/index.js @ GameState.js:22 webpack_require @ bootstrap:785 fn @ bootstrap:150 0 @ UrlUtil.js:89 webpack_require__ @ bootstrap:785 checkDeferredModules @ bootstrap:45 webpackJsonpCallback @ bootstrap:32 (anonymous)

brady-vitrano commented 4 years ago

For those that are using Cognito and PKCE flow for single-page apps, you will need to create a user pool app client without a secret id.

birgert commented 4 years ago

@brady-vitrano Thanks for the tip.

I wanted to use AWS Cognito with a manual Amplify Auth configuration in my React front end. I ran into the same issue when using my previously created app client for my authentication pool. Adding a new app client and uncheck the "Generate secret key" checkbox did the trick.

I have to say the whole journey has been a bit problematic so far. I first attempted with actually configuring amplify within my react project and creating an authentication pool through the amplify command line, but that just led to several other issues and bugs on the amplify command line and being unable to edit certain settings in the pool through AWS console as well as command line.

I hope the "simple" solution with manual Auth config in React frontend will finally work

ddisqq commented 4 years ago

In agreement here with @birgert. The Amplify CLI is disconnected from state within Amplify Console. A bug is definitely present in editing Cognito pools as well as removing the redirect URIs. Unable to edit on either side and have it appropriately sync. Somethings need setup in CLI and others in Console. Given the difficulties I'm having with Amplify Auth, I am resigning and going a different route. I think Amplify may be good for API Gateway, Lambda, DynamoDB and other backend capabilities, but its Auth isn't ready from what I have tested.

slatemates commented 4 years ago

Keep getting similar error . Sometimes it gets resolved by creating a totally new credentials in google console or setting up an altogether new cognito pool . Please rectify, as this issue is a blocker for us.