Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create an AppClient via sdk leads to "invalid_grant" #3037

Closed
theHPU opened this issue Oct 18, 2023 · 3 comments
Closed

Create an AppClient via sdk leads to "invalid_grant" #3037

theHPU opened this issue Oct 18, 2023 · 3 comments
Labels
bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.

Comments

@theHPU
Copy link

theHPU commented Oct 18, 2023

Describe the bug

Creating an cognito appClient via the sdk does always lead to "invalid_grant"
When creating the same AppClient via AWS console it works
Also when creating an appClient via sdk, going to the AWS console and save the Hosted_UI without changing anything it works.

Is this an issue with the sdk or do I miss anything?

Please let me know if you need anything else.

Best regards

Hans Peter

Expected Behavior

Creating an appClient via the sdk leads to the same behaviour as creating an appClient via the AWS console

Current Behavior

Please see the description, there are no errors shown when creating the appClient. It is shown in the AWS-console as expected.

Code for creating the appClient
`CreateUserPoolClientResponse response = cognitoClient.createUserPoolClient(
CreateUserPoolClientRequest.builder()
.clientName(clientName)

          .generateSecret(true)
          .allowedOAuthFlows(CLIENT_CREDENTIALS)
          .allowedOAuthScopes(List.of(
              cognitoConfiguration.getResourceServerIdentifier() + "/"
                  + CONNECTOR_READ.getName(),
              cognitoConfiguration.getResourceServerIdentifier() + "/"
                  + CONNECTOR_WRITE.getName()
          ))
          .userPoolId(cognitoConfiguration.getUserpoolid())
          .build()`

// Logs
`09:19:25.783 [http-nio-5000-exec-4] DEBUG s.a.awssdk.auth.signer.Aws4Signer - AWS4 Canonical Request: POST
/

amz-sdk-invocation-id:adee7ffa-35e2-4cc5-dd73-b0dd468efecb
amz-sdk-request:attempt=1; max=4
content-length:249
content-type:application/x-amz-json-1.1
host:cognito-idp.eu-central-1.amazonaws.com
x-amz-date:20231018T071925Z
x-amz-target:AWSCognitoIdentityProviderService.CreateUserPoolClient

amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date;x-amz-target
f282bb34d644b9af317e29d27586339f1ddd9adb0c492f360bd609c0aa0491cd
09:19:25.783 [http-nio-5000-exec-4] DEBUG s.a.awssdk.auth.signer.Aws4Signer - AWS4 String to sign: AWS4-HMAC-SHA256
20231018T071925Z
20231018/eu-central-1/cognito-idp/aws4_request
1c2daedecbf733396a2f5b46015213a55b958f24657c6f989c36c0dc8ea827d9
09:19:25.788 [http-nio-5000-exec-4] DEBUG o.a.h.c.protocol.RequestAddCookies - CookieSpec selected: default
09:19:25.788 [http-nio-5000-exec-4] DEBUG o.a.h.c.protocol.RequestAuthCache - Auth cache not set in the context
09:19:25.789 [http-nio-5000-exec-4] DEBUG o.a.h.i.c.PoolingHttpClientConnectionManager - Connection request: [route: {s}->https://cognito-idp.eu-central-1.amazonaws.com:443][total available: 0; route allocated: 0 of 50; total allocated: 0 of 50]
09:19:25.789 [http-nio-5000-exec-4] DEBUG o.a.h.i.c.PoolingHttpClientConnectionManager - Connection leased: [id: 1][route: {s}->https://cognito-idp.eu-central-1.amazonaws.com:443][total available: 0; route allocated: 1 of 50; total allocated: 1 of 50]
09:19:25.789 [http-nio-5000-exec-4] DEBUG o.a.h.impl.execchain.MainClientExec - Opening connection {s}->https://cognito-idp.eu-central-1.amazonaws.com:443
09:19:25.790 [http-nio-5000-exec-4] DEBUG o.a.h.i.c.DefaultHttpClientConnectionOperator - Connecting to cognito-idp.eu-central-1.amazonaws.com/35.157.15.220:443
09:19:25.790 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.i.conn.SdkTlsSocketFactory - Connecting socket to cognito-idp.eu-central-1.amazonaws.com/35.157.15.220:443 with timeout 2000
09:19:25.816 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.i.conn.SdkTlsSocketFactory - Enabled protocols: [TLSv1.3, TLSv1.2]
09:19:25.816 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.i.conn.SdkTlsSocketFactory - Enabled cipher suites:[TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
09:19:25.816 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.i.conn.SdkTlsSocketFactory - socket.getSupportedProtocols(): [TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, SSLv3, SSLv2Hello], socket.getEnabledProtocols(): [TLSv1.3, TLSv1.2]
09:19:25.816 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.i.conn.SdkTlsSocketFactory - Starting handshake
09:19:25.861 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.i.conn.SdkTlsSocketFactory - Secure session established
09:19:25.861 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.i.conn.SdkTlsSocketFactory - negotiated protocol: TLSv1.2
09:19:25.861 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.i.conn.SdkTlsSocketFactory - negotiated cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
09:19:25.861 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.i.conn.SdkTlsSocketFactory - peer principal: CN=cognito-idp.eu-central-1.amazonaws.com
09:19:25.861 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.i.conn.SdkTlsSocketFactory - peer alternative names: [cognito-idp.eu-central-1.amazonaws.com]
09:19:25.861 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.i.conn.SdkTlsSocketFactory - issuer principal: CN=Amazon RSA 2048 M02, O=Amazon, C=US
09:19:25.861 [http-nio-5000-exec-4] DEBUG s.a.a.h.a.internal.net.SdkSslSocket - created: cognito-idp.eu-central-1.amazonaws.com/35.157.15.220:443
09:19:25.862 [http-nio-5000-exec-4] DEBUG o.a.h.i.c.DefaultHttpClientConnectionOperator - Connection established 10.28.51.130:61784<->35.157.15.220:443
09:19:25.862 [http-nio-5000-exec-4] DEBUG o.a.h.i.c.DefaultManagedHttpClientConnection - http-outgoing-1: set socket timeout to 30000
09:19:25.862 [http-nio-5000-exec-4] DEBUG o.a.h.impl.execchain.MainClientExec - Executing request POST / HTTP/1.1
09:19:25.862 [http-nio-5000-exec-4] DEBUG o.a.h.impl.execchain.MainClientExec - Proxy auth state: UNCHALLENGED
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 >> POST / HTTP/1.1
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 >> Host: cognito-idp.eu-central-1.amazonaws.com
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 >> amz-sdk-invocation-id: adee7ffa-35e2-4cc5-dd73-b0dd468efecb
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 >> amz-sdk-request: attempt=1; max=4
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 >> Authorization: AWS4-HMAC-SHA256 Credential=/20231018/eu-central-1/cognito-idp/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date;x-amz-target, Signature=3cce797b778431d1132ab59da5f407301df4ff1ff30f36f8d67cd2ca83bd0b33
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 >> Content-Type: application/x-amz-json-1.1
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 >> User-Agent: aws-sdk-java/2.20.153 Mac_OS_X/13.4.1 OpenJDK_64-Bit_Server_VM/17.0.7+7-LTS Java/17.0.7 vendor/Amazon.com_Inc. io/sync http/Apache cfg/retry-mode/legacy
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 >> X-Amz-Date: 20231018T071925Z
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 >> X-Amz-Target: AWSCognitoIdentityProviderService.CreateUserPoolClient
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 >> Content-Length: 249
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 >> Connection: Keep-Alive
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "POST / HTTP/1.1[\r][\n]"
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "Host: cognito-idp.eu-central-1.amazonaws.com[\r][\n]"
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "amz-sdk-invocation-id: adee7ffa-35e2-4cc5-dd73-b0dd468efecb[\r][\n]"
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "amz-sdk-request: attempt=1; max=4[\r][\n]"
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "Authorization: AWS4-HMAC-SHA256 Credential=
*/20231018/eu-central-1/cognito-idp/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date;x-amz-target, Signature=3cce797b778431d1132ab59da5f407301df4ff1ff30f36f8d67cd2ca83bd0b33[\r][\n]"
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "Content-Type: application/x-amz-json-1.1[\r][\n]"
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "User-Agent: aws-sdk-java/2.20.153 Mac_OS_X/13.4.1 OpenJDK_64-Bit_Server_VM/17.0.7+7-LTS Java/17.0.7 vendor/Amazon.com_Inc. io/sync http/Apache cfg/retry-mode/legacy[\r][\n]"
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "X-Amz-Date: 20231018T071925Z[\r][\n]"
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "X-Amz-Target: AWSCognitoIdentityProviderService.CreateUserPoolClient[\r][\n]"
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "Content-Length: 249[\r][\n]"
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "Connection: Keep-Alive[\r][\n]"
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "[\r][\n]"
09:19:25.862 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 >> "{"UserPoolId":"eu-central-1_urFWgoAiR","ClientName":"1","GenerateSecret":true,"AllowedOAuthFlows":["client_credentials"],"AllowedOAuthScopes":["https://api-personal-1.netural.com/connector.read","https://api-personal-1.netural.com/connector.write"]}"
09:19:25.962 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 << "HTTP/1.1 200 OK[\r][\n]"
09:19:25.962 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 << "Date: Wed, 18 Oct 2023 07:19:25 GMT[\r][\n]"
09:19:25.962 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 << "Content-Type: application/x-amz-json-1.1[\r][\n]"
09:19:25.962 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 << "Content-Length: 616[\r][\n]"
09:19:25.962 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 << "Connection: keep-alive[\r][\n]"
09:19:25.962 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 << "x-amzn-RequestId: 9bf1a572-61fe-4c5c-916b-91ac563ae185[\r][\n]"
09:19:25.962 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 << "[\r][\n]"
09:19:25.962 [http-nio-5000-exec-4] DEBUG org.apache.http.wire - http-outgoing-1 << "{"UserPoolClient":{"AllowedOAuthFlows":["client_credentials"],"AllowedOAuthFlowsUserPoolClient":false,"AllowedOAuthScopes":["https://api-personal-1.netural.com/connector.write","https://api-personal-1.netural.com/connector.read"],"AuthSessionValidity":3,"ClientId":"38ai6vnja84s6vljv726hpd5gg","ClientName":"1","ClientSecret":"1kte21938me28nkdmea8refmekf9nr5qtk6jpfmd3r64q07d4j5o","CreationDate":1.697613565959E9,"EnablePropagateAdditionalUserContextData":false,"EnableTokenRevocation":true,"LastModifiedDate":1.697613565959E9,"RefreshTokenValidity":30,"TokenValidityUnits":{},"UserPoolId":"eu-central-1_urFWgoAiR"}}"
09:19:25.963 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 << HTTP/1.1 200 OK
09:19:25.963 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 << Date: Wed, 18 Oct 2023 07:19:25 GMT
09:19:25.963 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 << Content-Type: application/x-amz-json-1.1
09:19:25.963 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 << Content-Length: 616
09:19:25.963 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 << Connection: keep-alive
09:19:25.963 [http-nio-5000-exec-4] DEBUG org.apache.http.headers - http-outgoing-1 << x-amzn-RequestId: 9bf1a572-61fe-4c5c-916b-91ac563ae185
09:19:25.963 [http-nio-5000-exec-4] DEBUG o.a.h.impl.execchain.MainClientExec - Connection can be kept alive for 60000 MILLISECONDS
09:19:25.963 [http-nio-5000-exec-4] DEBUG software.amazon.awssdk.requestId - Received successful response: 200, Request ID: 9bf1a572-61fe-4c5c-916b-91ac563ae185, Extended Request ID: not available
09:19:25.963 [http-nio-5000-exec-4] DEBUG software.amazon.awssdk.request - Received successful response: 200, Request ID: 9bf1a572-61fe-4c5c-916b-91ac563ae185, Extended Request ID: not available
09:19:25.976 [http-nio-5000-exec-4] DEBUG o.a.h.i.c.PoolingHttpClientConnectionManager - Connection [id: 1][route: {s}->https://cognito-idp.eu-central-1.amazonaws.com:443] can be kept alive for 60.0 seconds
09:19:25.976 [http-nio-5000-exec-4] DEBUG o.a.h.i.c.DefaultManagedHttpClientConnection - http-outgoing-1: set socket timeout to 0
09:19:25.976 [http-nio-5000-exec-4] DEBUG o.a.h.i.c.PoolingHttpClientConnectionManager - Connection released: [id: 1][route: {s}->https://cognito-idp.eu-central-1.amazonaws.com:443][total available: 1; route allocated: 1 of 50; total allocated: 1 of 50]
09:19:25.977 [http-nio-5000-exec-4] INFO c.m.c.i.aws.CognitoAppClientService - User pool 1 created. ID: 38ai6vnja84s6vljv726hpd5gg`

Reproduction Steps

Generate a appClient with the code above.
Try to fetch a Token with the given appClientId and appClientSecret

Possible Solution

No response

Additional Information/Context

No response

AWS Java SDK version used

2.20.153

JDK version used

Amazon Corretto 17.0.7

Operating System and version

MacOs 13.4.1

@theHPU theHPU added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 18, 2023
@theHPU
Copy link
Author

theHPU commented Oct 19, 2023

It seems allowedOAuthFlowsUserPoolClient must be set to true in the sdk, this field does not exist in the AWS console and so it works on save.
Its not a bug, just hard to understand.

@theHPU theHPU closed this as completed Oct 19, 2023
@github-actions
Copy link

COMMENT VISIBILITY WARNING

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@samliang1
Copy link

samliang1 commented Oct 31, 2023

Tim,
Thanks for your quick response. Passing the AllowedOAuthFlowsUserPoolClient=True in boto3 worked! Much appreciated !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.
Projects
None yet
Development

No branches or pull requests

2 participants