getting 400 Bad Request - access token

Question

Hello,

the topic is Exchanging Client Credentials for an Access Token

I keep failing with 400 Bad Request, was trying various things in the request structure, doesn't help. Not sure where is the problem in the syntax.

Two examples:


POST /oauth2/token HTTP/1.1
Host: coloman-test.auth.eu-central-1.amazoncognito.com
Authorization: Basic Nm43azF0Njc4bXRyazJ2NTBxNzI4dnJ2ZXQ6dmRtYjZhcmRlZDJuajZtdDg4Y2V1bmY1MXNsdXZnaXRobnZnZDk0MTI4NXFsNDF0a2xz
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials&
scope=cdrs/producer.all

this at least returned {"error":"invalid_request"} in the response and also the request_id: x-amz-cognito-request-id: 16aa5385-bd05-4cce-8950-0fa4742d9745

When I try the same syntax like in the documentation:

POST https://coloman-test.auth.eu-central-1.amazoncognito.com/oauth2/token >

Content-Type='application/x-www-form-urlencoded'&

Authorization=Basic Nm43azF0Njc4bXRyazJ2NTBxNzI4dnJ2ZXQ6dmRtYjZhcmRlZDJuajZtdDg4Y2V1bmY1MXNsdXZnaXRobnZnZDk0MTI4NXFsNDF0a2xz

grant_type=client_credentials&
scope=cdrs/producer.all

then, I just receive the body without the header containing the request_id:

<head><title>400 Bad Request</title></head> <body> <center><h1>400 Bad Request</h1></center> </body> </html>

Can someone help, please?

Regards,

Igor

400 Bad Request

Can someone help, please? Regards, Igor

Answer

Hello Igor, thank you for reaching out!
It seems like you’re getting a 400 Bad Request when trying to exchange Client Credentials for an Access Token using Amazon Cognito. 
From the documention, you have this part:

grant_type=client_credentials&
scope=cdrs/producer.all

But, I have noticed you are getting the separator “/” replaced by “%2F” in your Postam raw data:

grant_type=client_credentials&scope=cdrs%2Fproducer.all

In fact, the “/” is a separator in your case and since every byte as to be correct for socket communication (as you mentionned), the issue is getting the correct syntax i.e., the “/” as a separator. With URL encoding, the “%2F” becomes an ordinary character that simply represents "/" character in element of your url, not a separator. To solve this, you would need to use a parameter for your scope value (i.e., scope = x and x = "cdrs/producer.all"), and then explicitly tell the browser not to decode it.

Another thing to review is your app configuration when exchanging your authorization code for token. You are missing the client_id and the code as well as the redirect_uri. Here a sample from the documention that will help you solve that:

POST https://mydomain.auth.us-east-1.amazoncognito.com/oauth2/token&
                            Content-Type='application/x-www-form-urlencoded'&
                            Authorization=Basic ZGpjOTh1M2ppZWRtaTI4M2V1OTI4OmFiY2RlZjAxMjM0NTY3ODkw
                            
                            grant_type=authorization_code&
                            client_id=1example23456789&
                            code=AUTHORIZATION_CODE&
                            redirect_uri=com.myclientapp://myclient/redirect

You can find more details here: https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html

Here is another relevant documentation: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html

Please feel free to reach out if you need any help or further assistance !

getting 400 Bad Request - access token

Relevanter Inhalt