I am running a working AWS Cognito service on a frontend application which can successfully do the basic stuff - login, logout, signup, etc..
Right now I am trying to get user attributes through the backend API, such that:
1) The user login in the application and gets a JWT.
2) The JWT is being sent to the backend server.
3) The server has to extract the email of the user by using the access token
The closest thing that I found to what I need is this Cognito service.
So I am making a GET request to "https://mydomain.auth.eu-central-1.amazoncognito.com/oauth2/userInfo" With Authorization Header as they are asking for, but I keep getting this response:
{ "error": "invalid_token", "error_description": "Access token does not contain openid scope" }
I have tried searching for this error but couldn't find any explanation about the error.
Thanks by advance
OpenID Connect is an open standard for authentication that a number of login providers support. Amazon Cognito supports you to link identities with OpenID Connect providers that you configure through AWS Identity and Access Management .
The ID token contains claims about the identity of the authenticated user, such as name and email. The access token contains claims about the authenticated user, a list of the user's groups, and a list of scopes. Amazon Cognito also has tokens that you can use to get new tokens or revoke existing tokens.
OpenID Connect (OIDC) scopes are used by an application during authentication to authorize access to a user's details, like name and picture. Each scope returns a set of user attributes, which are called claims. The scopes an application should request depend on which user attributes the application needs.
Erez, are you using a custom UI? Because the custom UI uses flows that are completely separated from the OAuth2 ones (USER_SRP_AUTH, USER_PASSWORD_AUTH). Tokens that are released with these flows are not OpenID Connect compliant (basically they don't contain the openid scope) so you cannot use them to gather user infos (since the userinfo endpoint is OpenID Connect compliant and needs to be invoked with jwts compliant with OIDC standard). We're also struggling on that, i'm sorry.
I had this exact problem and it was my fault. I was sending the id_token instead of access_token property of the token.
I program in PHP, so I was sending as header "Authorization: Bearer ".$token->id_token instead of "Authorization: Bearer ".$token->access_token. Now it works.
Hope it helps you or someone.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With