AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post

Trouble get access to API GAteway with Cognito UserPool

0

Currently Iam confused about access the API Gateway with Cignito UserPool. In my mind I have to get an access token from Cognito to get access to the API Gateway. For this I use:

curl -X POST -H "content-type: application/x-www-form-urlencoded" --data grant_type=client_credentials --data Authorization="Basic mybase64" --data client_id=<cognito clientid> --data scope=openid https://<myurl>auth.eu-central-1.amazoncognito.com/oauth2/token

Also tried

curl -X POST -H "content-type: application/x-www-form-urlencoded" -H "Authorization=Basic mybase64" --data grant_type=client_credentials  --data client_id=<ognito clientid> --data scope=openid https://<myurl>.auth.eu-central-1.amazoncognito.com/oauth2/token

But whatever I tried I get an {"error":"invalid_client"} back. What is the well working curl method to get the Bearer Token for API Access?

トピック
サーバーレスフロントエンド Web & モバイルネットワークとコンテンツ配信セキュリティ、アイデンティティ、コンプライアンス
タグ
Amazon API GatewayAmazon Cognito
言語
English
Ognif
質問済み 2ヶ月前183ビュー
2回答
1

You can use the following curl command to exchange an authorization code for tokens:

curl -X POST \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "Authorization: Basic <your_base_64>" \
  --data "grant_type=client_credentials&client_id=<cognito_client_id>&scope=openid" \
  "https://<your_domain>.auth.eu-central-1.amazoncognito.com/oauth2/token"

Replace the placeholders with your actual values. For more details, you can refer to the Cognito Token Endpoint.

Expected result:

HTTP/1.1 200 OK
                            Content-Type: application/json
                            
                            {
                            "access_token":"eyJra1example", 
                            "token_type":"Bearer", 
                            "expires_in":3600
                            }
profile picture
エキスパート
Osvaldo Marte
回答済み 2ヶ月前
profile pictureAWS
エキスパート
Didier_Durand
レビュー済み 2ヶ月前
  • Ognif
    2ヶ月前

    For me I still get the error {"error":"invalid_client"} I rechecked all the data again. Like base64 string, This is the user inside the user pool, login and password, this is confirmed. The cognito URL is good and the cognito client_id is the one I can find on App client page und Client ID (Above Clients Secret)

0

For me I still get the error {"error":"invalid_client"} I rechecked all the data again. Like base64 string, This is the user inside the user pool, login and password, this is confirmed. The cognito URL is good and the cognito client_id is the one I can find on App client page und Client ID (Above Clients Secret)

After some reading I tried to use for Authorization: Basic <your_base_64> the "clientid:clientsecret" from the cognito client (bas64) now I get an {"error":"invalid_grant"}.

Sorry, but I read that an "Expert" has approved the above answer but nothing works in my try outs. Isn't there a clear, undestandable and working sample somewhere in the AWS word?

Ognif
回答済み 2ヶ月前
  • Osvaldo Marte エキスパート
    2ヶ月前

    Hey Ognif, the Authorization header should be in the format Basic base64(client_id:client_secret). Try to store the variable in an environment variable and then run the command, for example:

    CLIENT_ID="<your_client_id>"
CLIENT_SECRET="<your_client_secret>"
COGNITO_DOMAIN="<your_cognito_domain>"
BASE64_AUTH=$(echo -n "$CLIENT_ID:$CLIENT_SECRET" | base64)

curl -X POST \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "Authorization: Basic $BASE64_AUTH" \
  --data "grant_type=client_credentials&client_id=$CLIENT_ID&scope=openid" \
  "https://$COGNITO_DOMAIN.auth.eu-central-1.amazoncognito.com/oauth2/token"

    Make sure you have the correct grant_type grant_type=client_credentials

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ