You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Creating an cognito appClient via the sdk does always lead to "invalid_grant"
When creating the same AppClient via AWS console it works
Also when creating an appClient via sdk, going to the AWS console and save the Hosted_UI without changing anything it works.
Is this an issue with the sdk or do I miss anything?
Please let me know if you need anything else.
Best regards
Hans Peter
Expected Behavior
Creating an appClient via the sdk leads to the same behaviour as creating an appClient via the AWS console
Current Behavior
Please see the description, there are no errors shown when creating the appClient. It is shown in the AWS-console as expected.
Code for creating the appClient
`CreateUserPoolClientResponse response = cognitoClient.createUserPoolClient(
CreateUserPoolClientRequest.builder()
.clientName(clientName)
It seems allowedOAuthFlowsUserPoolClient must be set to true in the sdk, this field does not exist in the AWS console and so it works on save.
Its not a bug, just hard to understand.
Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.
Describe the bug
Creating an cognito appClient via the sdk does always lead to "invalid_grant"
When creating the same AppClient via AWS console it works
Also when creating an appClient via sdk, going to the AWS console and save the Hosted_UI without changing anything it works.
Is this an issue with the sdk or do I miss anything?
Please let me know if you need anything else.
Best regards
Hans Peter
Expected Behavior
Creating an appClient via the sdk leads to the same behaviour as creating an appClient via the AWS console
Current Behavior
Please see the description, there are no errors shown when creating the appClient. It is shown in the AWS-console as expected.
Code for creating the appClient
`CreateUserPoolClientResponse response = cognitoClient.createUserPoolClient(
CreateUserPoolClientRequest.builder()
.clientName(clientName)
// Logs
`09:19:25.783 [http-nio-5000-exec-4] DEBUG s.a.awssdk.auth.signer.Aws4Signer - AWS4 Canonical Request: POST
/
amz-sdk-invocation-id:adee7ffa-35e2-4cc5-dd73-b0dd468efecb
amz-sdk-request:attempt=1; max=4
content-length:249
content-type:application/x-amz-json-1.1
host:cognito-idp.eu-central-1.amazonaws.com
x-amz-date:20231018T071925Z
x-amz-target:AWSCognitoIdentityProviderService.CreateUserPoolClient
amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date;x-amz-target
f282bb34d644b9af317e29d27586339f1ddd9adb0c492f360bd609c0aa0491cd
09:19:25.783 [http-nio-5000-exec-4] DEBUG s.a.awssdk.auth.signer.Aws4Signer - AWS4 String to sign: AWS4-HMAC-SHA256
20231018T071925Z
20231018/eu-central-1/cognito-idp/aws4_request
1c2daedecbf733396a2f5b46015213a55b958f24657c6f989c36c0dc8ea827d9
09:19:25.788 [http-nio-5000-exec-4] DEBUG o.a.h.c.protocol.RequestAddCookies - CookieSpec selected: default
09:19:25.788 [http-nio-5000-exec-4] DEBUG o.a.h.c.protocol.RequestAuthCache - Auth cache not set in the context
09:19:25.789 [http-nio-5000-exec-4] DEBUG o.a.h.i.c.PoolingHttpClientConnectionManager - Connection request: [route: {s}->https://cognito-idp.eu-central-1.amazonaws.com:443][total available: 0; route allocated: 0 of 50; total allocated: 0 of 50]
09:19:25.789 [http-nio-5000-exec-4] DEBUG o.a.h.i.c.PoolingHttpClientConnectionManager - Connection leased: [id: 1][route: {s}->https://cognito-idp.eu-central-1.amazonaws.com:443][total available: 0; route allocated: 1 of 50; total allocated: 1 of 50]
09:19:25.789 [http-nio-5000-exec-4] DEBUG o.a.h.impl.execchain.MainClientExec - Opening connection {s}->https://cognito-idp.eu-central-1.amazonaws.com:443
09:19:25.790 [http-nio-5000-exec-4] DEBUG o.a.h.i.c.DefaultHttpClientConnectionOperator - Connecting to cognito-idp.eu-central-1.amazonaws.com/35.157.15.220:443
09:19:25.790 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.i.conn.SdkTlsSocketFactory - Connecting socket to cognito-idp.eu-central-1.amazonaws.com/35.157.15.220:443 with timeout 2000
09:19:25.816 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.i.conn.SdkTlsSocketFactory - Enabled protocols: [TLSv1.3, TLSv1.2]
09:19:25.816 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.i.conn.SdkTlsSocketFactory - Enabled cipher suites:[TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
09:19:25.816 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.i.conn.SdkTlsSocketFactory - socket.getSupportedProtocols(): [TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2Hello], socket.getEnabledProtocols(): [TLSv1.3, TLSv1.2]
09:19:25.816 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.i.conn.SdkTlsSocketFactory - Starting handshake
09:19:25.861 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.i.conn.SdkTlsSocketFactory - Secure session established
09:19:25.861 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.i.conn.SdkTlsSocketFactory - negotiated protocol: TLSv1.2
09:19:25.861 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.i.conn.SdkTlsSocketFactory - negotiated cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
09:19:25.861 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.i.conn.SdkTlsSocketFactory - peer principal: CN=cognito-idp.eu-central-1.amazonaws.com
09:19:25.861 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.i.conn.SdkTlsSocketFactory - peer alternative names: [cognito-idp.eu-central-1.amazonaws.com]
09:19:25.861 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.i.conn.SdkTlsSocketFactory - issuer principal: CN=Amazon RSA 2048 M02, O=Amazon, C=US
09:19:25.861 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.internal.net.SdkSslSocket - created: cognito-idp.eu-central-1.amazonaws.com/35.157.15.220:443
09:19:25.862 [http-nio-5000-exec-4] DEBUG o.a.h.i.c.DefaultHttpClientConnectionOperator - Connection established 10.28.51.130:61784<->35.157.15.220:443
09:19:25.862 [http-nio-5000-exec-4] DEBUG o.a.h.i.c.DefaultManagedHttpClientConnection - http-outgoing-1: set socket timeout to 30000
09:19:25.862 [http-nio-5000-exec-4] DEBUG o.a.h.impl.execchain.MainClientExec - Executing request POST / HTTP/1.1
09:19:25.862 [http-nio-5000-exec-4] DEBUG o.a.h.impl.execchain.MainClientExec - Proxy auth state: UNCHALLENGED
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 >> POST / HTTP/1.1
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 >> Host: cognito-idp.eu-central-1.amazonaws.com
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 >> amz-sdk-invocation-id: adee7ffa-35e2-4cc5-dd73-b0dd468efecb
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 >> amz-sdk-request: attempt=1; max=4
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 >> Authorization: AWS4-HMAC-SHA256 Credential=/20231018/eu-central-1/cognito-idp/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date;x-amz-target, Signature=3cce797b778431d1132ab59da5f407301df4ff1ff30f36f8d67cd2ca83bd0b33
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 >> Content-Type: application/x-amz-json-1.1
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 >> User-Agent: aws-sdk-java/2.20.153 Mac_OS_X/13.4.1 OpenJDK_64-Bit_Server_VM/17.0.7+7-LTS Java/17.0.7 vendor/Amazon.com_Inc. io/sync http/Apache cfg/retry-mode/legacy
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 >> X-Amz-Date: 20231018T071925Z
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 >> X-Amz-Target: AWSCognitoIdentityProviderService.CreateUserPoolClient
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 >> Content-Length: 249
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 >> Connection: Keep-Alive
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "POST / HTTP/1.1[\r][\n]"
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "Host: cognito-idp.eu-central-1.amazonaws.com[\r][\n]"
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "amz-sdk-invocation-id: adee7ffa-35e2-4cc5-dd73-b0dd468efecb[\r][\n]"
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "amz-sdk-request: attempt=1; max=4[\r][\n]"
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "Authorization: AWS4-HMAC-SHA256 Credential=*/20231018/eu-central-1/cognito-idp/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date;x-amz-target, Signature=3cce797b778431d1132ab59da5f407301df4ff1ff30f36f8d67cd2ca83bd0b33[\r][\n]"
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "Content-Type: application/x-amz-json-1.1[\r][\n]"
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "User-Agent: aws-sdk-java/2.20.153 Mac_OS_X/13.4.1 OpenJDK_64-Bit_Server_VM/17.0.7+7-LTS Java/17.0.7 vendor/Amazon.com_Inc. io/sync http/Apache cfg/retry-mode/legacy[\r][\n]"
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "X-Amz-Date: 20231018T071925Z[\r][\n]"
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "X-Amz-Target: AWSCognitoIdentityProviderService.CreateUserPoolClient[\r][\n]"
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "Content-Length: 249[\r][\n]"
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "Connection: Keep-Alive[\r][\n]"
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "[\r][\n]"
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "{"UserPoolId":"eu-central-1_urFWgoAiR","ClientName":"1","GenerateSecret":true,"AllowedOAuthFlows":["client_credentials"],"AllowedOAuthScopes":["https://api-personal-1.netural.com/connector.read","https://api-personal-1.netural.com/connector.write"]}"
09:19:25.962 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 << "HTTP/1.1 200 OK[\r][\n]"
09:19:25.962 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 << "Date: Wed, 18 Oct 2023 07:19:25 GMT[\r][\n]"
09:19:25.962 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 << "Content-Type: application/x-amz-json-1.1[\r][\n]"
09:19:25.962 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 << "Content-Length: 616[\r][\n]"
09:19:25.962 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 << "Connection: keep-alive[\r][\n]"
09:19:25.962 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 << "x-amzn-RequestId: 9bf1a572-61fe-4c5c-916b-91ac563ae185[\r][\n]"
09:19:25.962 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 << "[\r][\n]"
09:19:25.962 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 << "{"UserPoolClient":{"AllowedOAuthFlows":["client_credentials"],"AllowedOAuthFlowsUserPoolClient":false,"AllowedOAuthScopes":["https://api-personal-1.netural.com/connector.write","https://api-personal-1.netural.com/connector.read"],"AuthSessionValidity":3,"ClientId":"38ai6vnja84s6vljv726hpd5gg","ClientName":"1","ClientSecret":"1kte21938me28nkdmea8refmekf9nr5qtk6jpfmd3r64q07d4j5o","CreationDate":1.697613565959E9,"EnablePropagateAdditionalUserContextData":false,"EnableTokenRevocation":true,"LastModifiedDate":1.697613565959E9,"RefreshTokenValidity":30,"TokenValidityUnits":{},"UserPoolId":"eu-central-1_urFWgoAiR"}}"
09:19:25.963 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 << HTTP/1.1 200 OK
09:19:25.963 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 << Date: Wed, 18 Oct 2023 07:19:25 GMT
09:19:25.963 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 << Content-Type: application/x-amz-json-1.1
09:19:25.963 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 << Content-Length: 616
09:19:25.963 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 << Connection: keep-alive
09:19:25.963 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 << x-amzn-RequestId: 9bf1a572-61fe-4c5c-916b-91ac563ae185
09:19:25.963 [http-nio-5000-exec-4] DEBUG o.a.h.impl.execchain.MainClientExec - Connection can be kept alive for 60000 MILLISECONDS
09:19:25.963 [http-nio-5000-exec-4] DEBUG software.amazon.awssdk.requestId - Received successful response: 200, Request ID: 9bf1a572-61fe-4c5c-916b-91ac563ae185, Extended Request ID: not available
09:19:25.963 [http-nio-5000-exec-4] DEBUG software.amazon.awssdk.request - Received successful response: 200, Request ID: 9bf1a572-61fe-4c5c-916b-91ac563ae185, Extended Request ID: not available
09:19:25.976 [http-nio-5000-exec-4] DEBUG o.a.h.i.c.PoolingHttpClientConnectionManager - Connection [id: 1][route: {s}->https://cognito-idp.eu-central-1.amazonaws.com:443] can be kept alive for 60.0 seconds
09:19:25.976 [http-nio-5000-exec-4] DEBUG o.a.h.i.c.DefaultManagedHttpClientConnection - http-outgoing-1: set socket timeout to 0
09:19:25.976 [http-nio-5000-exec-4] DEBUG o.a.h.i.c.PoolingHttpClientConnectionManager - Connection released: [id: 1][route: {s}->https://cognito-idp.eu-central-1.amazonaws.com:443][total available: 1; route allocated: 1 of 50; total allocated: 1 of 50]
09:19:25.977 [http-nio-5000-exec-4] INFO c.m.c.i.aws.CognitoAppClientService - User pool 1 created. ID: 38ai6vnja84s6vljv726hpd5gg`
Reproduction Steps
Generate a appClient with the code above.
Try to fetch a Token with the given appClientId and appClientSecret
Possible Solution
No response
Additional Information/Context
No response
AWS Java SDK version used
2.20.153
JDK version used
Amazon Corretto 17.0.7
Operating System and version
MacOs 13.4.1
The text was updated successfully, but these errors were encountered: