[Bug]: Cognito : Terraform created app integration credentials are not working without manual action

[APurraedleiaeu]

Terraform Core Version

1.6.2

AWS Provider Version

5.31.0

Affected Resource(s)

App client with client_credential mode

Expected Behavior

Response to curl to get a token should be something like {"access_token":"token","expires_in":3600,"token_type":"Bearer"}

Actual Behavior

But out of the box after Terraform ran, we are getting a {"error":"invalid_grant"}

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

terraform {
  required_version = "~> 1.6"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.20"
    }
  }
}

locals {
  required_attributes     = ["name", "family_name", "profile", "email"]
  non_required_attributes = ["groups"]
}

resource "aws_cognito_user_pool" "user_pool" {
  name                = "pool"
  username_attributes = ["email"]

  dynamic "schema" {
    for_each = local.required_attributes
    content {
      attribute_data_type      = "String"
      developer_only_attribute = false
      mutable                  = true
      name                     = schema.value
      required                 = true
      string_attribute_constraints {
        max_length = 2048
        min_length = 0
      }
    }
  }
  dynamic "schema" {
    for_each = local.non_required_attributes
    content {
      attribute_data_type      = "String"
      developer_only_attribute = false
      mutable                  = true
      name                     = schema.value
      required                 = false
      string_attribute_constraints {
        max_length = 2048
        min_length = 0
      }
    }
  }
}

resource "aws_cognito_user_pool_client" "client" {
  user_pool_id = aws_cognito_user_pool.user_pool.id
  supported_identity_providers = ["COGNITO"])

  name            = "client_name"
  generate_secret = true

  access_token_validity = 1
  explicit_auth_flows   = ["ALLOW_REFRESH_TOKEN_AUTH", "ALLOW_USER_SRP_AUTH", "ALLOW_USER_PASSWORD_AUTH"]
  allowed_oauth_scopes  = ["app/api"]
  allowed_oauth_flows   = ["client_credentials"]

  callback_urls = ["http://localhost"]

  depends_on = [
    aws_cognito_resource_server.resource_server_name
  ]
}

resource "aws_cognito_user_pool_domain" "domain" {
  domain       = "domainname"
  user_pool_id = aws_cognito_user_pool.user_pool.id
}

resource "aws_cognito_resource_server" "resource_server_name" {
  identifier = "app"
  name       = "app"
  user_pool_id = aws_cognito_user_pool.user_pool.id

  scope {
    content {
      scope_name        = "api"
      scope_description = "app/api"
    }
  }
}

Steps to Reproduce

Step to reproduce : Ressources deployed with Terraform:

• User pool
• Resource server with a scope app/api

• App client

  • client_credential mode
  • authentication flows are ALLOW_REFRESH_TOKEN_AUTH ALLOW_USER_PASSWORD_AUTH ALLOW_USER_SRP_AUTH
  • idp set to Cognito user pool directory
  • custom scope set to app/api

  Request a token with, for example, a curl An app client deployed with Terraform is correctly setup but Cognito doesn't give any token.

Request a token with :

curl -X POST -H "Content-Type: application/x-www-form-urlencoded" \
  --user "${CLIENT_ID}:${CLIENT_SECRET}" \
  --data-urlencode "grant_type=client_credentials" \
  --data-urlencode "client_id=${CLIENT_ID}" \
  --data-urlencode "client_secret=${CLIENT_SECRET}" \
  --data-urlencode "scope=eapi/api" \
  "${TOKEN_ENDPOINT}"

Debug Output

No response

Panic Output

No response

Important Factoids

This issue can be fixed by:

• login manually in the aws console
• Go to the concerned App client
• Click in the Edit on Hosted UI
• Save without any change

Only then, the curl returns a token. A new terraform plan is not showing any change to apply after that manual save.

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[uhagemann]

I can confirm this behavior. I tried arbitrary older AWS provider versions (5.23.1, 4.67.0, 4.20.1, 3.76.1), they all behave the same.

[antempus]

Can confirm this is still an issue today, specifically with invalid_grant response even though they are assigned on the console via Hosted UI

[EzzioMoreira]

I am experiencing the same issue. The temporary solution is to edit the Hosted UI settings of the client and click save without changing any options. I will try to create a script to automate this process until the bug is resolved.

It seems that some details of the client configuration are not being correctly applied by Terraform.