Amazon Cognito User Pools – Client Credentials

Amazon Cognito User Pool is a user directory in Amazon Cognito. For the last couple of weeks, I was playing with this Sign-up and sign-in services of Amazon Web Service. At the moment of writing this, User pool app clients Allowed three types of OAuth Flows i.e Authorization code grant, Implicit grant and Client credentials. This post is only about the Client Credentials

I have a REST API that I want to protect using an AWS Cognito userpool. The API is an asp.net core 2.1 webapi. And I have used JWT bearer authentication flow to secure the test API. So, I want to create an app client with Client Credentials OAuth flow on the Amazon Cognito user pool. I have come across two errors when I tried to add an App client to follow Client Credentials OAuth flows. And this is what I learned by making mistakes

Add Client Credentials App

First, I created an app client without selecting Generate client secret.

Then I went to app client settings and select Client Credentials option (as the image stated above) and save changes, in response I had this following error

We were unable to update your App Configuration: AllowedOAuthFlows and AllowedOAuthScopes are required if user pool client is allowed to use OAuth flows. (Service: AWSCognitoIdentityProviderService; Status Code: 400; Error Code: InvalidParameterException; Request ID: 68xxxfe1-xxxx-xxxxxxxxxxxxxxxxxb)

I manage to fix this error by adding a resource server and custom scopes. Please find the details below how I add the custom scopes. And then I get the following error

We were unable to update your App Configuration: client_credentials flow can not be selected if client does not have a client secret. (Service: AWSCognitoIdentityProviderService; Status Code: 400; Error Code: InvalidOAuthFlowException; Request ID: xxxx)

And I did not find any option in the console to generate the secret key for the app client. So, I have to create another app client with the secret key.

An app client can only use the client credentials flow if the app client has a client secret.

Note: AWS Documentaion –Defining Resource Servers for Your User Pool

Next up, I will explain about scopes and how I solved the other error.

Resource Server

A resource server is a server for access-protected resources. It handles authenticated requests from an app that has an access token. A scope is a level of access that an app can request to a resource.

From AWS Documentation – Adding Resource Servers for Your User Pool

• A Resource Server is kind of a service which handles authenticated requests.
• Request reaches to the Resource Server with an access token which contains information about the authenticated user, and the session.
• The resource server verifies the access token they receive with the request.
• A resource server contains a list of scopes.

In my case, the rest API is the resource server. It should have some scopes that will be passed with access token. So I created the resource server.

An identifier is a Unique identifier for the resource server. This could be an HTTPS endpoint where your resource server is located. This is used with scope

Custom Scopes

Scopes can be used to define boundaries for API calls in a resource server. If the access token has a certain scope only then the request will be succeeded. You can create read_only, write_only or other scopes

And then these scopes started to appear with all app client settings

Once I select one or both scope I am able to save App Client with Client Credentials OAuth Flow

Conclusion

I am writing down my findings about cognito client credentials authentication flow. Please find few more posts related to this which help me to understand the reason of those errors

• Defining Resource Servers for Your User Pool
• Server to Server Auth with Amazon Cognito
• Part 1 : Securing AWS API Gateway using AWS Cognito OAuth2 scopes

My plan is to write few more posts about AWS Cognito with .netcore. There are few things you need to deal with when you are working with AWS .net SDK and use cognito. If you are interested please register below.