aws / aws-sdk-java

The official AWS SDK for Java 1.x (In Maintenance Mode, End-of-Life on 12/31/2025). The AWS SDK for Java 2.x is available here: https://github.com/aws/aws-sdk-java-v2/
https://aws.amazon.com/sdkforjava
Apache License 2.0
4.13k stars 2.83k forks source link

Create an AppClient via sdk leads to "invalid_grant" #3037

Closed theHPU closed 1 year ago

theHPU commented 1 year ago

Describe the bug

Creating an cognito appClient via the sdk does always lead to "invalid_grant" When creating the same AppClient via AWS console it works Also when creating an appClient via sdk, going to the AWS console and save the Hosted_UI without changing anything it works.

Is this an issue with the sdk or do I miss anything?

Please let me know if you need anything else.

Best regards

Hans Peter

Expected Behavior

Creating an appClient via the sdk leads to the same behaviour as creating an appClient via the AWS console

Current Behavior

Please see the description, there are no errors shown when creating the appClient. It is shown in the AWS-console as expected.

Code for creating the appClient `CreateUserPoolClientResponse response = cognitoClient.createUserPoolClient( CreateUserPoolClientRequest.builder() .clientName(clientName)

          .generateSecret(true)
          .allowedOAuthFlows(CLIENT_CREDENTIALS)
          .allowedOAuthScopes(List.of(
              cognitoConfiguration.getResourceServerIdentifier() + "/"
                  + CONNECTOR_READ.getName(),
              cognitoConfiguration.getResourceServerIdentifier() + "/"
                  + CONNECTOR_WRITE.getName()
          ))
          .userPoolId(cognitoConfiguration.getUserpoolid())
          .build()`

// Logs `09:19:25.783 [http-nio-5000-exec-4] DEBUG s.a.awssdk.auth.signer.Aws4Signer - AWS4 Canonical Request: POST /

amz-sdk-invocation-id:adee7ffa-35e2-4cc5-dd73-b0dd468efecb amz-sdk-request:attempt=1; max=4 content-length:249 content-type:application/x-amz-json-1.1 host:cognito-idp.eu-central-1.amazonaws.com x-amz-date:20231018T071925Z x-amz-target:AWSCognitoIdentityProviderService.CreateUserPoolClient

amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date;x-amz-target f282bb34d644b9af317e29d27586339f1ddd9adb0c492f360bd609c0aa0491cd 09:19:25.783 [http-nio-5000-exec-4] DEBUG s.a.awssdk.auth.signer.Aws4Signer - AWS4 String to sign: AWS4-HMAC-SHA256 20231018T071925Z 20231018/eu-central-1/cognito-idp/aws4_request 1c2daedecbf733396a2f5b46015213a55b958f24657c6f989c36c0dc8ea827d9 09:19:25.788 [http-nio-5000-exec-4] DEBUG o.a.h.c.protocol.RequestAddCookies - CookieSpec selected: default 09:19:25.788 [http-nio-5000-exec-4] DEBUG o.a.h.c.protocol.RequestAuthCache - Auth cache not set in the context 09:19:25.789 [http-nio-5000-exec-4] DEBUG o.a.h.i.c.PoolingHttpClientConnectionManager - Connection request: [route: {s}->https://cognito-idp.eu-central-1.amazonaws.com:443][total available: 0; route allocated: 0 of 50; total allocated: 0 of 50] 09:19:25.789 [http-nio-5000-exec-4] DEBUG o.a.h.i.c.PoolingHttpClientConnectionManager - Connection leased: [id: 1][route: {s}->https://cognito-idp.eu-central-1.amazonaws.com:443][total available: 0; route allocated: 1 of 50; total allocated: 1 of 50] 09:19:25.789 [http-nio-5000-exec-4] DEBUG o.a.h.impl.execchain.MainClientExec - Opening connection {s}->https://cognito-idp.eu-central-1.amazonaws.com:443 09:19:25.790 [http-nio-5000-exec-4] DEBUG o.a.h.i.c.DefaultHttpClientConnectionOperator - Connecting to cognito-idp.eu-central-1.amazonaws.com/35.157.15.220:443 09:19:25.790 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.i.conn.SdkTlsSocketFactory - Connecting socket to cognito-idp.eu-central-1.amazonaws.com/35.157.15.220:443 with timeout 2000 09:19:25.816 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.i.conn.SdkTlsSocketFactory - Enabled protocols: [TLSv1.3, TLSv1.2] 09:19:25.816 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.i.conn.SdkTlsSocketFactory - Enabled cipher suites:[TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] 09:19:25.816 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.i.conn.SdkTlsSocketFactory - socket.getSupportedProtocols(): [TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2Hello], socket.getEnabledProtocols(): [TLSv1.3, TLSv1.2] 09:19:25.816 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.i.conn.SdkTlsSocketFactory - Starting handshake 09:19:25.861 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.i.conn.SdkTlsSocketFactory - Secure session established 09:19:25.861 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.i.conn.SdkTlsSocketFactory - negotiated protocol: TLSv1.2 09:19:25.861 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.i.conn.SdkTlsSocketFactory - negotiated cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 09:19:25.861 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.i.conn.SdkTlsSocketFactory - peer principal: CN=cognito-idp.eu-central-1.amazonaws.com 09:19:25.861 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.i.conn.SdkTlsSocketFactory - peer alternative names: [cognito-idp.eu-central-1.amazonaws.com] 09:19:25.861 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.i.conn.SdkTlsSocketFactory - issuer principal: CN=Amazon RSA 2048 M02, O=Amazon, C=US 09:19:25.861 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.internal.net.SdkSslSocket - created: cognito-idp.eu-central-1.amazonaws.com/35.157.15.220:443 09:19:25.862 [http-nio-5000-exec-4] DEBUG o.a.h.i.c.DefaultHttpClientConnectionOperator - Connection established 10.28.51.130:61784<->35.157.15.220:443 09:19:25.862 [http-nio-5000-exec-4] DEBUG o.a.h.i.c.DefaultManagedHttpClientConnection - http-outgoing-1: set socket timeout to 30000 09:19:25.862 [http-nio-5000-exec-4] DEBUG o.a.h.impl.execchain.MainClientExec - Executing request POST / HTTP/1.1 09:19:25.862 [http-nio-5000-exec-4] DEBUG o.a.h.impl.execchain.MainClientExec - Proxy auth state: UNCHALLENGED 09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 >> POST / HTTP/1.1 09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 >> Host: cognito-idp.eu-central-1.amazonaws.com 09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 >> amz-sdk-invocation-id: adee7ffa-35e2-4cc5-dd73-b0dd468efecb 09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 >> amz-sdk-request: attempt=1; max=4 09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 >> Authorization: AWS4-HMAC-SHA256 Credential=***/20231018/eu-central-1/cognito-idp/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date;x-amz-target, Signature=3cce797b778431d1132ab59da5f407301df4ff1ff30f36f8d67cd2ca83bd0b33 09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 >> Content-Type: application/x-amz-json-1.1 09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 >> User-Agent: aws-sdk-java/2.20.153 Mac_OS_X/13.4.1 OpenJDK_64-Bit_Server_VM/17.0.7+7-LTS Java/17.0.7 vendor/Amazon.com_Inc. io/sync http/Apache cfg/retry-mode/legacy 09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 >> X-Amz-Date: 20231018T071925Z 09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 >> X-Amz-Target: AWSCognitoIdentityProviderService.CreateUserPoolClient 09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 >> Content-Length: 249 09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 >> Connection: Keep-Alive 09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "POST / HTTP/1.1[\r][\n]" 09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "Host: cognito-idp.eu-central-1.amazonaws.com[\r][\n]" 09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "amz-sdk-invocation-id: adee7ffa-35e2-4cc5-dd73-b0dd468efecb[\r][\n]" 09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "amz-sdk-request: attempt=1; max=4[\r][\n]" 09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "Authorization: AWS4-HMAC-SHA256 Credential=****/20231018/eu-central-1/cognito-idp/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date;x-amz-target, Signature=3cce797b778431d1132ab59da5f407301df4ff1ff30f36f8d67cd2ca83bd0b33[\r][\n]" 09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "Content-Type: application/x-amz-json-1.1[\r][\n]" 09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "User-Agent: aws-sdk-java/2.20.153 Mac_OS_X/13.4.1 OpenJDK_64-Bit_Server_VM/17.0.7+7-LTS Java/17.0.7 vendor/Amazon.com_Inc. io/sync http/Apache cfg/retry-mode/legacy[\r][\n]" 09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "X-Amz-Date: 20231018T071925Z[\r][\n]" 09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "X-Amz-Target: AWSCognitoIdentityProviderService.CreateUserPoolClient[\r][\n]" 09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "Content-Length: 249[\r][\n]" 09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "Connection: Keep-Alive[\r][\n]" 09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "[\r][\n]" 09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "{"UserPoolId":"eu-central-1_urFWgoAiR","ClientName":"1","GenerateSecret":true,"AllowedOAuthFlows":["client_credentials"],"AllowedOAuthScopes":["https://api-personal-1.netural.com/connector.read","https://api-personal-1.netural.com/connector.write"]}" 09:19:25.962 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 << "HTTP/1.1 200 OK[\r][\n]" 09:19:25.962 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 << "Date: Wed, 18 Oct 2023 07:19:25 GMT[\r][\n]" 09:19:25.962 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 << "Content-Type: application/x-amz-json-1.1[\r][\n]" 09:19:25.962 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 << "Content-Length: 616[\r][\n]" 09:19:25.962 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 << "Connection: keep-alive[\r][\n]" 09:19:25.962 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 << "x-amzn-RequestId: 9bf1a572-61fe-4c5c-916b-91ac563ae185[\r][\n]" 09:19:25.962 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 << "[\r][\n]" 09:19:25.962 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 << "{"UserPoolClient":{"AllowedOAuthFlows":["client_credentials"],"AllowedOAuthFlowsUserPoolClient":false,"AllowedOAuthScopes":["https://api-personal-1.netural.com/connector.write","https://api-personal-1.netural.com/connector.read"],"AuthSessionValidity":3,"ClientId":"38ai6vnja84s6vljv726hpd5gg","ClientName":"1","ClientSecret":"1kte21938me28nkdmea8refmekf9nr5qtk6jpfmd3r64q07d4j5o","CreationDate":1.697613565959E9,"EnablePropagateAdditionalUserContextData":false,"EnableTokenRevocation":true,"LastModifiedDate":1.697613565959E9,"RefreshTokenValidity":30,"TokenValidityUnits":{},"UserPoolId":"eu-central-1_urFWgoAiR"}}" 09:19:25.963 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 << HTTP/1.1 200 OK 09:19:25.963 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 << Date: Wed, 18 Oct 2023 07:19:25 GMT 09:19:25.963 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 << Content-Type: application/x-amz-json-1.1 09:19:25.963 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 << Content-Length: 616 09:19:25.963 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 << Connection: keep-alive 09:19:25.963 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 << x-amzn-RequestId: 9bf1a572-61fe-4c5c-916b-91ac563ae185 09:19:25.963 [http-nio-5000-exec-4] DEBUG o.a.h.impl.execchain.MainClientExec - Connection can be kept alive for 60000 MILLISECONDS 09:19:25.963 [http-nio-5000-exec-4] DEBUG software.amazon.awssdk.requestId - Received successful response: 200, Request ID: 9bf1a572-61fe-4c5c-916b-91ac563ae185, Extended Request ID: not available 09:19:25.963 [http-nio-5000-exec-4] DEBUG software.amazon.awssdk.request - Received successful response: 200, Request ID: 9bf1a572-61fe-4c5c-916b-91ac563ae185, Extended Request ID: not available 09:19:25.976 [http-nio-5000-exec-4] DEBUG o.a.h.i.c.PoolingHttpClientConnectionManager - Connection [id: 1][route: {s}->https://cognito-idp.eu-central-1.amazonaws.com:443] can be kept alive for 60.0 seconds 09:19:25.976 [http-nio-5000-exec-4] DEBUG o.a.h.i.c.DefaultManagedHttpClientConnection - http-outgoing-1: set socket timeout to 0 09:19:25.976 [http-nio-5000-exec-4] DEBUG o.a.h.i.c.PoolingHttpClientConnectionManager - Connection released: [id: 1][route: {s}->https://cognito-idp.eu-central-1.amazonaws.com:443][total available: 1; route allocated: 1 of 50; total allocated: 1 of 50] 09:19:25.977 [http-nio-5000-exec-4] INFO c.m.c.i.aws.CognitoAppClientService - User pool 1 created. ID: 38ai6vnja84s6vljv726hpd5gg`

Reproduction Steps

Generate a appClient with the code above. Try to fetch a Token with the given appClientId and appClientSecret

Possible Solution

No response

Additional Information/Context

No response

AWS Java SDK version used

2.20.153

JDK version used

Amazon Corretto 17.0.7

Operating System and version

MacOs 13.4.1

theHPU commented 1 year ago

It seems allowedOAuthFlowsUserPoolClient must be set to true in the sdk, this field does not exist in the AWS console and so it works on save. Its not a bug, just hard to understand.

github-actions[bot] commented 1 year ago

COMMENT VISIBILITY WARNING

Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

samliang1 commented 1 year ago

Tim, Thanks for your quick response. Passing the AllowedOAuthFlowsUserPoolClient=True in boto3 worked! Much appreciated !