AWS Cognito as IDP - Federated Auth flow - token endpoint from API
Hi,
I am running an Angular app backed with ASP.NET 8.0 API. I am to implement Fed.Auth flow - first provider would be Microsoft Entra(AD).
I am using Cognito as IDP for classic username+password flow.
I have set up Cognito, Cognito App client. Having clientId, secret, scopes, etc. The authorization works well (I am getting redirected to Entra auth page when redirecting the user in the browser to Cognito's
/authorize
endpoint. Also, getting redirected back to my Angular client app landing page (ie.: /authenticated
) with the authorization code. (I am using responseType = 'code
;).
I am having difficulties with /token
endpoint of Cognito.
Calling this endpoint from Postman I get the desired response, but from backend API..
6 Replies
Oidc flow docs with Cognito
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-oidc-idp.html
The token endpoint docs
https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html
Using OIDC identity providers with a user pool - Amazon Cognito
Learn how to configure an OpenID Connect (OIDC) identity provider like Salesforce or Okta to allow users to sign in to your application using their existing accounts from those providers. Review the steps required to register the application with the OIDC provider, add the provider configuration to the Amazon Cognito user pool, and test the inte...
The token issuer endpoint - Amazon Cognito
Learn how to generate requests to the /oauth2/token endpoint for Amazon Cognito OAuth 2.0 access tokens, OpenID Connect (OIDC) ID tokens, and refresh tokens. The token endpoint returns tokens for app clients that support client credentials grants and authorization code grants.
this request results in
Verify authorization token resulted in error. Status code: MethodNotAllowed (405)
if I omit httpRequest.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/x-www-form-urlencoded"));
the request results in BadRequest 400PostMan request headers are
what am I missing here? why it works from postman and not from backend api call?
I assume the
Authorization
header value has some error. Though this is a weak assumption, but omitting Authorization header element results the same error.I have found the problem.
Postman cut the trailing
/
from the redirect URI parameter, while in the backend API request it wasn't.
The trailing /
was considered an invalid parameter (in Cognito application, the redirect URI was registered without the trailing slash.
Fixing it solved the issue...