使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

Trouble get access to API GAteway with Cognito UserPool

0

Currently Iam confused about access the API Gateway with Cignito UserPool. In my mind I have to get an access token from Cognito to get access to the API Gateway. For this I use:

curl -X POST -H "content-type: application/x-www-form-urlencoded" --data grant_type=client_credentials --data Authorization="Basic mybase64" --data client_id=<cognito clientid> --data scope=openid https://<myurl>auth.eu-central-1.amazoncognito.com/oauth2/token

Also tried

curl -X POST -H "content-type: application/x-www-form-urlencoded" -H "Authorization=Basic mybase64" --data grant_type=client_credentials  --data client_id=<ognito clientid> --data scope=openid https://<myurl>.auth.eu-central-1.amazoncognito.com/oauth2/token

But whatever I tried I get an {"error":"invalid_client"} back. What is the well working curl method to get the Bearer Token for API Access?

主题
无服务器前端 Web 和移动网络和内容交付安全、身份和合规性
标签
亚马逊 API 网关Amazon Cognito
语言
English
Ognif
已提问 2 个月前185 查看次数
2 回答
1

You can use the following curl command to exchange an authorization code for tokens:

curl -X POST \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "Authorization: Basic <your_base_64>" \
  --data "grant_type=client_credentials&client_id=<cognito_client_id>&scope=openid" \
  "https://<your_domain>.auth.eu-central-1.amazoncognito.com/oauth2/token"

Replace the placeholders with your actual values. For more details, you can refer to the Cognito Token Endpoint.

Expected result:

HTTP/1.1 200 OK
                            Content-Type: application/json
                            
                            {
                            "access_token":"eyJra1example", 
                            "token_type":"Bearer", 
                            "expires_in":3600
                            }
profile picture
专家
Osvaldo Marte
已回答 2 个月前
profile pictureAWS
专家
Didier_Durand
已审核 2 个月前
  • Ognif
    2 个月前

    For me I still get the error {"error":"invalid_client"} I rechecked all the data again. Like base64 string, This is the user inside the user pool, login and password, this is confirmed. The cognito URL is good and the cognito client_id is the one I can find on App client page und Client ID (Above Clients Secret)

0

For me I still get the error {"error":"invalid_client"} I rechecked all the data again. Like base64 string, This is the user inside the user pool, login and password, this is confirmed. The cognito URL is good and the cognito client_id is the one I can find on App client page und Client ID (Above Clients Secret)

After some reading I tried to use for Authorization: Basic <your_base_64> the "clientid:clientsecret" from the cognito client (bas64) now I get an {"error":"invalid_grant"}.

Sorry, but I read that an "Expert" has approved the above answer but nothing works in my try outs. Isn't there a clear, undestandable and working sample somewhere in the AWS word?

Ognif
已回答 2 个月前
  • Osvaldo Marte 专家
    2 个月前

    Hey Ognif, the Authorization header should be in the format Basic base64(client_id:client_secret). Try to store the variable in an environment variable and then run the command, for example:

    CLIENT_ID="<your_client_id>"
CLIENT_SECRET="<your_client_secret>"
COGNITO_DOMAIN="<your_cognito_domain>"
BASE64_AUTH=$(echo -n "$CLIENT_ID:$CLIENT_SECRET" | base64)

curl -X POST \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -H "Authorization: Basic $BASE64_AUTH" \
  --data "grant_type=client_credentials&client_id=$CLIENT_ID&scope=openid" \
  "https://$COGNITO_DOMAIN.auth.eu-central-1.amazoncognito.com/oauth2/token"

    Make sure you have the correct grant_type grant_type=client_credentials

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容