OAUTH Password Grant Type with Cognito

Hi,

I understand that you're trying to use client credentials grant type, but you're facing the {"error":"invalid_scope"} error message while trying to make the request to fetch the access_token.

Details on how to use client credentials grant type are outlined in the documentation below:

1. https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/

The client credentials grant is intended to provide credentials to an application in order to authorize machine-to-machine requests and please note that in order to use the client credentials grant, the corresponding user pool app client must have an associated app client secret.

The app makes a POST request to https://AUTH_DOMAIN/oauth2/token, with the following parameters:

grant_type – Set to “client_credentials” for this grant type. client_id – The ID for the desired user pool app client. scope – A space-separated list of scopes to request for the generated access token.

The POST request is made to the token endpoint as you are already aware:

2. TOKEN endpoint - https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html
3. https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint

The AUTH_DOMAIN represents the user pool’s configured domain. And so, if you are using a custom domain for the user pool ensure to hit the token endpoint "https://AUTH_DOMAIN/oauth2/token" using "/oauth2/token" to gets the user's tokens.

In order to indicate that the app is authorized to make the request, the Authorization header for this request is set as “Basic BASE64(CLIENT_ID:CLIENT_SECRET)“, where BASE64(CLIENT_ID:CLIENT_SECRET) is the base64 representation of the app client ID and app client secret, concatenated with a colon.

Here's a sample request to exchange client credentials for an access token:

                       POST https://AUTH_DOMAIN/oauth2/token >
                       Content-Type='application/x-www-form-urlencoded'&
                       Authorization=Basic aSdxdexample3456uedj
                       
                       grant_type=client_credentials&
                       scope={resourceServerIdentifier1}/{scope1} {resourceServerIdentifier2}/{scope2}

You will need to include the "scope" which can be a combination of any custom scopes associated with a client. "Any scope requested must be pre-associated with the client or it will be ignored at runtime. If the client doesn't request any scopes, the authentication server uses all custom scopes associated with the client." (Reference document 2)

Please refer to the following documentation for more information on managing resource servers and custom scopes:

4. Defining resource servers for your user pool - https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.html

The access token will contain claims about the authenticated user, a list of the user's groups, and a list of scopes. You can use the access token to grant your user access to add, change, or delete user attributes.

5. Using the access token - Access token payload - https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-access-token.html#user-pool-access-token-payload

The GetUser call should be able to pull up user attributes using the access token. Similarly, the UpdateUserAttributes call allows a user to update a specific attribute, one at a time.

6. GetUser - https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html
7. UpdateUserAttributes - https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html

Let us know if you need any information further!