C
C#3mo ago
Neophyte

AWS Cognito as IDP - Federated Auth flow - token endpoint from API

Hi, I am running an Angular app backed with ASP.NET 8.0 API. I am to implement Fed.Auth flow - first provider would be Microsoft Entra(AD). I am using Cognito as IDP for classic username+password flow. I have set up Cognito, Cognito App client. Having clientId, secret, scopes, etc. The authorization works well (I am getting redirected to Entra auth page when redirecting the user in the browser to Cognito's /authorize endpoint. Also, getting redirected back to my Angular client app landing page (ie.: /authenticated) with the authorization code. (I am using responseType = 'code;). I am having difficulties with /token endpoint of Cognito. Calling this endpoint from Postman I get the desired response, but from backend API..
var encoder = UrlEncoder.Default;

var client_id = encoder.Encode(signInExperience.ClientId!);
var redirect_uri = encoder.Encode(signInExperience.RedirectUri!);
var code = encoder.Encode(request.AuthorizationCode!);

var content = new Dictionary<string, string>
{
{ "grant_type", "authorization_code" },
{ "client_id", client_id },
{ "redirect_uri", redirect_uri },
{ "code", code },
{ "scope", "email" }
};

var response = new HttpResponseMessage(System.Net.HttpStatusCode.InternalServerError);

HttpClient client = httpClientFactory.CreateClient(Constants.HTTP_CLIENT_NAME);

var httpRequest = new HttpRequestMessage(HttpMethod.Post, endpoint);

httpRequest.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/x-www-form-urlencoded"));
httpRequest.Content = new FormUrlEncodedContent(content);

var credentials = Convert.ToBase64String(Encoding.UTF8.GetBytes($"{signInExperience!.ClientId}:{signInExperience!.ClientSecret}"));
httpRequest.Headers.Authorization = new AuthenticationHeaderValue("Basic", credentials);

await Console.Out.WriteLineAsync(JsonSerializer.Serialize(httpRequest));

response = await client.SendAsync(httpRequest);
var encoder = UrlEncoder.Default;

var client_id = encoder.Encode(signInExperience.ClientId!);
var redirect_uri = encoder.Encode(signInExperience.RedirectUri!);
var code = encoder.Encode(request.AuthorizationCode!);

var content = new Dictionary<string, string>
{
{ "grant_type", "authorization_code" },
{ "client_id", client_id },
{ "redirect_uri", redirect_uri },
{ "code", code },
{ "scope", "email" }
};

var response = new HttpResponseMessage(System.Net.HttpStatusCode.InternalServerError);

HttpClient client = httpClientFactory.CreateClient(Constants.HTTP_CLIENT_NAME);

var httpRequest = new HttpRequestMessage(HttpMethod.Post, endpoint);

httpRequest.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/x-www-form-urlencoded"));
httpRequest.Content = new FormUrlEncodedContent(content);

var credentials = Convert.ToBase64String(Encoding.UTF8.GetBytes($"{signInExperience!.ClientId}:{signInExperience!.ClientSecret}"));
httpRequest.Headers.Authorization = new AuthenticationHeaderValue("Basic", credentials);

await Console.Out.WriteLineAsync(JsonSerializer.Serialize(httpRequest));

response = await client.SendAsync(httpRequest);
No description
6 Replies
Neophyte
NeophyteOP3mo ago
Using OIDC identity providers with a user pool - Amazon Cognito
Learn how to configure an OpenID Connect (OIDC) identity provider like Salesforce or Okta to allow users to sign in to your application using their existing accounts from those providers. Review the steps required to register the application with the OIDC provider, add the provider configuration to the Amazon Cognito user pool, and test the inte...
The token issuer endpoint - Amazon Cognito
Learn how to generate requests to the /oauth2/token endpoint for Amazon Cognito OAuth 2.0 access tokens, OpenID Connect (OIDC) ID tokens, and refresh tokens. The token endpoint returns tokens for app clients that support client credentials grants and authorization code grants.
Neophyte
NeophyteOP3mo ago
this request results in Verify authorization token resulted in error. Status code: MethodNotAllowed (405) if I omit httpRequest.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/x-www-form-urlencoded")); the request results in BadRequest 400
Neophyte
NeophyteOP3mo ago
PostMan request headers are
No description
Neophyte
NeophyteOP3mo ago
what am I missing here? why it works from postman and not from backend api call?
Neophyte
NeophyteOP3mo ago
I assume the Authorization header value has some error. Though this is a weak assumption, but omitting Authorization header element results the same error.
No description
Neophyte
NeophyteOP3mo ago
I have found the problem. Postman cut the trailing / from the redirect URI parameter, while in the backend API request it wasn't. The trailing / was considered an invalid parameter (in Cognito application, the redirect URI was registered without the trailing slash. Fixing it solved the issue...
Want results from more Discord servers?
Add your server