By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Trouble get access to API GAteway with Cognito UserPool

0

Currently Iam confused about access the API Gateway with Cignito UserPool. In my mind I have to get an access token from Cognito to get access to the API Gateway. For this I use:

curl -X POST -H "content-type: application/x-www-form-urlencoded" --data grant_type=client_credentials --data Authorization="Basic mybase64" --data client_id=<cognito clientid> --data scope=openid https://<myurl>auth.eu-central-1.amazoncognito.com/oauth2/token

Also tried

curl -X POST -H "content-type: application/x-www-form-urlencoded" -H "Authorization=Basic mybase64" --data grant_type=client_credentials  --data client_id=<ognito clientid> --data scope=openid https://<myurl>.auth.eu-central-1.amazoncognito.com/oauth2/token

But whatever I tried I get an {"error":"invalid_client"} back. What is the well working curl method to get the Bearer Token for API Access?

Topics
ServerlessFront-End Web & MobileNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
Amazon API GatewayAmazon Cognito
Language
English
Ognif
asked 2 months ago174 views
2 Answers
1

You can use the following curl command to exchange an authorization code for tokens:

curl -X POST \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "Authorization: Basic <your_base_64>" \
  --data "grant_type=client_credentials&client_id=<cognito_client_id>&scope=openid" \
  "https://<your_domain>.auth.eu-central-1.amazoncognito.com/oauth2/token"

Replace the placeholders with your actual values. For more details, you can refer to the Cognito Token Endpoint.

Expected result:

HTTP/1.1 200 OK
                            Content-Type: application/json
                            
                            {
                            "access_token":"eyJra1example", 
                            "token_type":"Bearer", 
                            "expires_in":3600
                            }
profile picture
EXPERT
Osvaldo Marte
answered 2 months ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 2 months ago
  • Ognif
    2 months ago

    For me I still get the error {"error":"invalid_client"} I rechecked all the data again. Like base64 string, This is the user inside the user pool, login and password, this is confirmed. The cognito URL is good and the cognito client_id is the one I can find on App client page und Client ID (Above Clients Secret)

0

For me I still get the error {"error":"invalid_client"} I rechecked all the data again. Like base64 string, This is the user inside the user pool, login and password, this is confirmed. The cognito URL is good and the cognito client_id is the one I can find on App client page und Client ID (Above Clients Secret)

After some reading I tried to use for Authorization: Basic <your_base_64> the "clientid:clientsecret" from the cognito client (bas64) now I get an {"error":"invalid_grant"}.

Sorry, but I read that an "Expert" has approved the above answer but nothing works in my try outs. Isn't there a clear, undestandable and working sample somewhere in the AWS word?

Ognif
answered 2 months ago
  • Osvaldo Marte EXPERT
    2 months ago

    Hey Ognif, the Authorization header should be in the format Basic base64(client_id:client_secret). Try to store the variable in an environment variable and then run the command, for example:

    CLIENT_ID="<your_client_id>"
CLIENT_SECRET="<your_client_secret>"
COGNITO_DOMAIN="<your_cognito_domain>"
BASE64_AUTH=$(echo -n "$CLIENT_ID:$CLIENT_SECRET" | base64)

curl -X POST \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "Authorization: Basic $BASE64_AUTH" \
  --data "grant_type=client_credentials&client_id=$CLIENT_ID&scope=openid" \
  "https://$COGNITO_DOMAIN.auth.eu-central-1.amazoncognito.com/oauth2/token"

    Make sure you have the correct grant_type grant_type=client_credentials

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content