C#•2mo ago

AWS Cognito as IDP - Federated Auth flow - token endpoint from API

Hi, I am running an Angular app backed with ASP.NET 8.0 API. I am to implement Fed.Auth flow - first provider would be Microsoft Entra(AD). I am using Cognito as IDP for classic username+password flow. I have set up Cognito, Cognito App client. Having clientId, secret, scopes, etc. The authorization works well (I am getting redirected to Entra auth page when redirecting the user in the browser to Cognito's /authorize endpoint. Also, getting redirected back to my Angular client app landing page (ie.: /authenticated) with the authorization code. (I am using responseType = 'code;). I am having difficulties with /token endpoint of Cognito. Calling this endpoint from Postman I get the desired response, but from backend API..

var encoder = UrlEncoder.Default;

var client_id = encoder.Encode(signInExperience.ClientId!);
var redirect_uri = encoder.Encode(signInExperience.RedirectUri!);
var code = encoder.Encode(request.AuthorizationCode!);

var content = new Dictionary<string, string>
{
    { "grant_type", "authorization_code" },
    { "client_id",  client_id },
    { "redirect_uri", redirect_uri },
    { "code",  code },
    { "scope", "email" }
};

var response = new HttpResponseMessage(System.Net.HttpStatusCode.InternalServerError);

HttpClient client = httpClientFactory.CreateClient(Constants.HTTP_CLIENT_NAME);

var httpRequest = new HttpRequestMessage(HttpMethod.Post, endpoint);

httpRequest.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/x-www-form-urlencoded"));
httpRequest.Content = new FormUrlEncodedContent(content);

var credentials = Convert.ToBase64String(Encoding.UTF8.GetBytes($"{signInExperience!.ClientId}:{signInExperience!.ClientSecret}"));
httpRequest.Headers.Authorization = new AuthenticationHeaderValue("Basic", credentials);

await Console.Out.WriteLineAsync(JsonSerializer.Serialize(httpRequest));

response = await client.SendAsync(httpRequest);

var encoder = UrlEncoder.Default;

var client_id = encoder.Encode(signInExperience.ClientId!);
var redirect_uri = encoder.Encode(signInExperience.RedirectUri!);
var code = encoder.Encode(request.AuthorizationCode!);

var content = new Dictionary<string, string>
{
    { "grant_type", "authorization_code" },
    { "client_id",  client_id },
    { "redirect_uri", redirect_uri },
    { "code",  code },
    { "scope", "email" }
};

var response = new HttpResponseMessage(System.Net.HttpStatusCode.InternalServerError);

HttpClient client = httpClientFactory.CreateClient(Constants.HTTP_CLIENT_NAME);

var httpRequest = new HttpRequestMessage(HttpMethod.Post, endpoint);

httpRequest.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/x-www-form-urlencoded"));
httpRequest.Content = new FormUrlEncodedContent(content);

var credentials = Convert.ToBase64String(Encoding.UTF8.GetBytes($"{signInExperience!.ClientId}:{signInExperience!.ClientSecret}"));
httpRequest.Headers.Authorization = new AuthenticationHeaderValue("Basic", credentials);

await Console.Out.WriteLineAsync(JsonSerializer.Serialize(httpRequest));

response = await client.SendAsync(httpRequest);

6 Replies

Neophyte•2mo ago

Oidc flow docs with Cognito https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-oidc-idp.html The token endpoint docs https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html

Using OIDC identity providers with a user pool - Amazon Cognito

Learn how to configure an OpenID Connect (OIDC) identity provider like Salesforce or Okta to allow users to sign in to your application using their existing accounts from those providers. Review the steps required to register the application with the OIDC provider, add the provider configuration to the Amazon Cognito user pool, and test the inte...

The token issuer endpoint - Amazon Cognito

Learn how to generate requests to the /oauth2/token endpoint for Amazon Cognito OAuth 2.0 access tokens, OpenID Connect (OIDC) ID tokens, and refresh tokens. The token endpoint returns tokens for app clients that support client credentials grants and authorization code grants.

Neophyte•2mo ago

this request results in Verify authorization token resulted in error. Status code: MethodNotAllowed (405) if I omit httpRequest.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/x-www-form-urlencoded")); the request results in BadRequest 400

Neophyte•2mo ago

PostMan request headers are

Neophyte•2mo ago

what am I missing here? why it works from postman and not from backend api call?

Neophyte•2mo ago

I assume the Authorization header value has some error. Though this is a weak assumption, but omitting Authorization header element results the same error.

Neophyte•2mo ago

I have found the problem. Postman cut the trailing / from the redirect URI parameter, while in the backend API request it wasn't. The trailing / was considered an invalid parameter (in Cognito application, the redirect URI was registered without the trailing slash. Fixing it solved the issue...

Gaming

Programming

AWS Cognito as IDP - Federated Auth flow - token endpoint from API