AWS Cognito - Invalid scope error on authentication request

Question

AWS Cognito - Invalid scope error on authentication request

Closed this issue 9 months ago · 1 comments

benshaji-sequoiaat commented 9 months ago

Expected behaviour

I have AWS Cognito user pool with few users where i can login with email and password. Upon successful sign-in, it redirects to the url given as callback with Authorization code in url param

Actual behaviour

I've done setup on social-app-django as per docs, when i goto http://localhost:8000/auth/login/cognito , my Cognito hosted UI comes, but the url bar has url: https://myclientapp.auth.ap-south-1.amazoncognito.com/error?error=invalid_scope&client_id=3dkqled389888888888888tni5gtj7 . The request's reponse is error: invalid_scope
I've below config added in Settings;

SOCIAL_AUTH_COGNITO_KEY = "3dkqxxxxxxxxxxxxxgpvi9tj7"
SOCIAL_AUTH_COGNITO_SECRET = "gt4oxxxxxxxxxxxxxxxxxxxxxxxxx2eaui7pjks1ju4"
SOCIAL_AUTH_COGNITO_POOL_DOMAIN = ""https://myclientapp.auth.auth.ap-south-1.amazoncognito.com"
SOCIAL_AUTH_COGNITO_AUTHORIZATION_URL = (
    ""https://myclientapp.auth.auth.ap-south-1.amazoncognito.com/oauth2/authorize"
)
SOCIAL_AUTH_COGNITO_ACCESS_TOKEN_URL = (
    "https://myclientapp.auth.auth.ap-south-1.amazoncognito.com/oauth2/token"
)

# Use the complete endpoint for the Cognito backend
SOCIAL_AUTH_COGNITO_COMPLETE_URL_NAME = "social:complete"
SOCIAL_AUTH_COGNITO_SCOPE = ["email", "openid"]
SOCIAL_AUTH_COGNITO_ID_TOKEN_NAME = "id_token"
SOCIAL_AUTH_COGNITO_EXTRA_DATA = [("id_token", "id_token")]

Any logs, error output, etc?

No logs, backend logs while above happens;

[15/Jan/2024 13:54:36] "GET /auth/login/cognito/ HTTP/1.1" 302 0

Any other comments?

The Cognito is doing its job, because i did;

Open Postman
Added new request with Authorization as OAuth 2.0
Added Cognito app id, secret, auth, token endpoints

If above are done, we'll see the Cognito hosted UI sign-in page, once logged in will get redirected to postman id with tokens.

Okay, now that we know Cognito auth works, and no issues there, I've now changed callback url back to http://localhost:8000/auth/complete/cognito/ again. Our error remains the same as "invalid_scope". In Cognito, scopes are email, openid.

Final question/suggestion: What should i look into for troubleshooting, any recommended steps?

Thanks for reading
Ben

Answer 1 · 2024-01-16T06:42:41.000Z

This issue is fixed for me:

make sure that you http://localhost:8000/auth/complete/cognito/ and not http://127.0.0.1:8000/.... Because, 127.0.0.1 and localhost are technically different when it comes to URI redirects. Use localhost.
Check OpenID Connect scopes as email, openid, profile in case of scope error. You do not necessarily need to specify scopes in settings (Django)