search

aws-samples / aws-netcore-aspnetmvc-amazon-cognito-authentication-authorization-samples

Code Samples using .NET and AWS Services: This sample application explores how you can quickly build Role Based Access Controls (RBAC) and Fine Grained Access Controls (FGAC) using Amazon Cognito UserPools and Amazon Cognito Groups for authenticating and authorizing users in an ASP.NET MVC web application built using .NET Core.
MIT No Attribution
11 stars 9 forks source link

OpenIdConnectProtocolException: Message contains error: 'invalid_client', error_description: 'error_description is null', error_uri: 'error_uri is null'. #1

Open markpendlebury opened 2 years ago

markpendlebury commented 2 years ago

Following your sample i get the above mentioned error after entering my username/password into the cognito login page.

I've re-created the pool and app client numerous times incase i missed something but keep hitting the same error, is there maybe something missing from your sample?

The full exception i'm getting is; 

System.Exception: An error was encountered while handling the remote login.
 ---> Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Message contains error: 'invalid_client', error_description: 'error_description is null', error_uri: 'error_uri is null'.
   at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.RedeemAuthorizationCodeAsync(OpenIdConnectMessage tokenEndpointRequest)
   at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()
   --- End of inner exception stack trace ---
   at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

As a side note the callback url you use is incorrect (as far as i know) the correct callback url should be: https://localhost:5001/signin-oidc

ddowningms commented 2 years ago

@markpendlebury I'm getting a similar error and haven't been able to make further progress. Were you ever able to resolve this?

image

markpendlebury commented 2 years ago

The error you're getting, similar to mine, indicates you are missing a (or are submitting an incorrect) client_id. In the conctext of the readme in this repo there are a number of missing peices:

Here's what i did: 

services.AddOpenIdConnect(options =>
        {
            // Signin:
            options.ResponseType = Environment.GetEnvironmentVariable("ResponseType")!;
            options.MetadataAddress = Environment.GetEnvironmentVariable("MetadataAddress")!;
            options.ClientId = Environment.GetEnvironmentVariable("ClientId")!;
            options.ClientSecret = Environment.GetEnvironmentVariable("ClientSecret")!;
            // Signout
            options.Events = new OpenIdConnectEvents()
            {
                OnRedirectToIdentityProviderForSignOut = OnRedirectToIdentityProviderForSignOut
            };
        });

Where

"ResponseType"="code"
"MetadataAddress"="https://cognito-idp.${AWS_COGNITO_REGION}.amazonaws.com/${AWS_COGNITO_USER_POOL_ID}/.well-known/openid-configuration"
"ClientId"="${AWS_COGNITO_CLIENT_ID}"
"ClientSecret"="${AWS_COGNITO_CLIENT_SECRET}"

For Clarity, your Cognito user pool details (id and region) can be found via the console by naviagating to Amazon Cognito --> User Pools --> Your Pool and can be found in the top header titled User pool ID (region included)

As for the Client ID and Secret, they can be found by navigating from the above pool page then selecting the "App Integration" tab, the last panel contains a list of your "App Client Names". On this page tyou will see "Client ID" and "Show client secret" on the top panel.

Additionally, on the App Client Page, under "Hosted UI" make sure you have the correct "Allowed Callback URLs". For me i used the following patterns:

Callback URLS:

Allowed Sign-out URLS:

Hope this helps

ddowningms commented 1 year ago

@markpendlebury, thank you for the detailed reply. I was able to get the login part of the sample working correctly.

I am however not able to get the logout functionality working as the sample is currently coded. I'm getting the following, any idea what I'm doing wrong. Do I need to modify the sample to get it working?

image

xtianrivas commented 1 year ago

tuve el mismo problema pero era algo mas simple:

supongo que los datos de la cuenta AWS no son tomados desde el Appsetting.json porque no esta direccionandolo correctamente en Program.cs en mi caso decía 

            .ConfigureAppConfiguration((hostingContext, config) =>
            {
                config.AddJsonFile(
                    "appsettings.local.json",
                    optional: true,
                    reloadOnChange: true);
            });

debiendo ser:

            .ConfigureAppConfiguration((hostingContext, config) =>
            {
                config.AddJsonFile(
                    "launchSettings.json",
                    optional: true,
                    reloadOnChange: true);
            });

como estaba en Properties\launchSettings.json en el proyecto. con eso el proyecto parte correctamente.