By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

bad request in authorization code flow

0

All, I am about to build some web app and am trying to secure it using cognito. I am about to exchange authorization code for access token but get bad request/400 error: "invalid_request" all the time in browser although it works in postman...both localhost as well as using it on the actual webserver fail.
My request in Angular looks like this:

myFunctionB(){

let url_paras = new URLSearchParams(window.location.search);  
let code = url_paras.get("code");  
console.log(code);  
let url = "https://XXXX_mydomain_XXXX.auth.eu-central-1.amazoncognito.com/oauth2/token"  
let headers = {  
  "Content-Type": "application/x-www-form-urlencoded"  
}  
let body = {  
  "client_id": "XXXX_myclientid_XXXX",  
  "grant_type": "authorization_code",  
  "code": code,  
  "redirect_uri": "https://XXXX_mywebsite_XXXX/"  
};  

const promise = this.httpClient.post<any>(url, body, { headers }).toPromise();  

promise.then((data: any)=>{  
  console.log(data);  
}).catch((error)=>{  
  console.log(error);  
});

}

the client is setup without client secret, I am using the very same redirect url in client setup as I did for redirect_uri parameter.
Both end with a / but i also tried to have everythingg without the ending /.
Is there any way to futher troubleshoot what might cause the problem???

Edited by: siebenstein on Dec 27, 2020 2:26 AM

Topics
Security, Identity, & Compliance
Tags
Amazon Cognito
Language
English
siebenstein
asked 3 years ago1115 views
2 Answers
0

I found out by myself. Looks like http client is handling the requests slightly different. Rather than pasing paramters in body u need to append to the url using ?para1=value1&para2=value2...

Seems to me like postman somehow handles differently when pasing the "application/x-www-form-urlencoded" header.

siebenstein
answered 3 years ago
0

glad you found it but i believe you should make this request through an AWS resource. lets say a web-server contained in a ec2. I'll reference the docs about retrieving your tokens: "The /oauth2/token endpoint only supports HTTPS POST. Your app makes requests to this endpoint directly, not through the user's browser."

rePost-User-3653299
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content