AWS Cognito Token with Authorization Code Grant PKCE returns {"error":"invalid_grant"}

2
votes

This request was working a couple of months ago but when we tried again and directly using curl. It now returns an invalid_grant. I been trying to search the documentation, but only see the following words without any exact reasons why?

invalid_grant

  • Refresh token has been revoked.
  • Authorization code has been consumed already or does not exist.

The client settings is as follows.

enter image description here

curl -X POST https://test-sso.auth.amazoncognito.com/oauth2/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=authorization_code&client_id=xxxxxxx&redirect_uri=https%3A%2F%2F1c2d5a1xxxx.ngrok.io&code=SjkkDSSDs-b2A7nJPi3cmItyRZU4-b3GMjLls&code_verifier=sdXXXXXbUR2RmFIaTVQaVpTdndLOWoxOFU9Ig"

Has someone experienced this lately or has resolved this issue? I realized, even removing the PKCE. It's still returns invalid_grant.

Many thanks

1
amazon-web-servicesoauth-2.0amazon-cognito
did you check whether the Authorization Code grant is enabled on the client ?Arun K
yes, it's on. Allowed OAuth Flows - (check) Authorization code grant (un-checked) Implicit grant (un-checked) Client credentialsLouie Miranda
you should have secret generated for this client for authorization grant to work. can you confirm that?Arun K
Under "General" -> App Clients. "App client secret" says "(no secret key)". Is that correct?Louie Miranda
@LouieMiranda it would be nice if you could document that missing step for posterityJack7

1 Answers

0
votes

You don't need a client secret when using PKCE, which is explicitly designed for UI clients that can't keep one.

Your request and the overall behaviour both look entirely correct:

  • An Authorization Code can be used once only
  • If you try to use it again you get an invalid_grant error

Are you getting errors in real UIs or only with a cURL command? If it helps you can run my Sample UI and trace the HTTP messages, then compare to your own solution.