search

python-social-auth / social-app-django

Python Social Auth - Application - Django
BSD 3-Clause "New" or "Revised" License
1.97k stars 372 forks source link

AWS Cognito - Invalid scope error on authentication request #538

Closed benshaji-sequoiaat closed 5 months ago

benshaji-sequoiaat commented 5 months ago

Expected behaviour

I have AWS Cognito user pool with few users where i can login with email and password. Upon successful sign-in, it redirects to the url given as callback with Authorization code in url param

Actual behaviour

I've done setup on social-app-django as per docs, when i goto http://localhost:8000/auth/login/cognito , my Cognito hosted UI comes, but the url bar has url: https://myclientapp.auth.ap-south-1.amazoncognito.com/error?error=invalid_scope&client_id=3dkqled389888888888888tni5gtj7 . The request's reponse is error: invalid_scope I've below config added in Settings;

SOCIAL_AUTH_COGNITO_KEY = "3dkqxxxxxxxxxxxxxgpvi9tj7"
SOCIAL_AUTH_COGNITO_SECRET = "gt4oxxxxxxxxxxxxxxxxxxxxxxxxx2eaui7pjks1ju4"
SOCIAL_AUTH_COGNITO_POOL_DOMAIN = ""https://myclientapp.auth.auth.ap-south-1.amazoncognito.com"
SOCIAL_AUTH_COGNITO_AUTHORIZATION_URL = (
    ""https://myclientapp.auth.auth.ap-south-1.amazoncognito.com/oauth2/authorize"
)
SOCIAL_AUTH_COGNITO_ACCESS_TOKEN_URL = (
    "https://myclientapp.auth.auth.ap-south-1.amazoncognito.com/oauth2/token"
)

# Use the complete endpoint for the Cognito backend
SOCIAL_AUTH_COGNITO_COMPLETE_URL_NAME = "social:complete"
SOCIAL_AUTH_COGNITO_SCOPE = ["email", "openid"]
SOCIAL_AUTH_COGNITO_ID_TOKEN_NAME = "id_token"
SOCIAL_AUTH_COGNITO_EXTRA_DATA = [("id_token", "id_token")]

Any logs, error output, etc?

No logs, backend logs while above happens;

[15/Jan/2024 13:54:36] "GET /auth/login/cognito/ HTTP/1.1" 302 0

Any other comments?

The Cognito is doing its job, because i did;

If above are done, we'll see the Cognito hosted UI sign-in page, once logged in will get redirected to postman id with tokens.

image

Okay, now that we know Cognito auth works, and no issues there, I've now changed callback url back to http://localhost:8000/auth/complete/cognito/ again. Our error remains the same as "invalid_scope". In Cognito, scopes are email, openid.

Final question/suggestion: What should i look into for troubleshooting, any recommended steps?

Thanks for reading Ben

benshaji-sequoiaat commented 5 months ago

This issue is fixed for me: