AWS Cognito Token with Authorization Code Grant PKCE returns {"error":"invalid_grant"}

Asked 5/8, 2020 at 4:1 Answered 21/9, 2023 at 3:43

amazon-web-services oauth-2.0 amazon-cognito

This request was working a couple of months ago but when we tried again and directly using curl. It now returns an invalid_grant. I been trying to search the documentation, but only see the following words without any exact reasons why?

invalid_grant

Refresh token has been revoked.
Authorization code has been consumed already or does not exist.

The client settings is as follows.

curl -X POST https://test-sso.auth.amazoncognito.com/oauth2/token \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=authorization_code&client_id=xxxxxxx&redirect_uri=https%3A%2F%2F1c2d5a1xxxx.ngrok.io&code=SjkkDSSDs-b2A7nJPi3cmItyRZU4-b3GMjLls&code_verifier=sdXXXXXbUR2RmFIaTVQaVpTdndLOWoxOFU9Ig"

Has someone experienced this lately or has resolved this issue? I realized, even removing the PKCE. It's still returns invalid_grant.

Many thanks

Gomez answered 5/8, 2020 at 4:1 Comment(8)

did you check whether the Authorization Code grant is enabled on the client ? – Indicative 5/8, 2020 at 4:53

yes, it's on. Allowed OAuth Flows - (check) Authorization code grant (un-checked) Implicit grant (un-checked) Client credentials – Gomez 5/8, 2020 at 6:8

you should have secret generated for this client for authorization grant to work. can you confirm that? – Indicative 5/8, 2020 at 6:13

Under "General" -> App Clients. "App client secret" says "(no secret key)". Is that correct? – Gomez 5/8, 2020 at 7:24

you need secret generated for authorization code grant if i remember correctly – Indicative 5/8, 2020 at 7:26

I eventually resolved this issue. There was a missing step that I missed as part of PKCE – Gomez 12/8, 2020 at 2:6

@LouieMiranda it would be nice if you could document that missing step for posterity – Phlebitis 20/11, 2020 at 7:45

Just a heads up; a client secrets IS NOT necessary for auth code flow with PKCE as suggested by @ArunKamalanathan – Advocate 24/3, 2023 at 21:18

I don't use PKCE to grant tokens however I was having the same issue. Then I found in AWS docs that there are 3 reasons to cause this error:

Refresh token has been revoked

Authorization code has been consumed already or does not exist.

App client doesn't have read access to all attributes in the requested scope. For example, your app requests the email scope and your app client can read the email attribute, but not email_verified.

Reference: Token Endpoint > Examples of negative responses

In my case the problem was that I needed to provide read access to all attributes in the User Pool Client > OpenID Connect scopes and User Pool Client > Custom scopes

Dubbin answered 20/9, 2023 at 17:9 Comment(0)

The documentation says that you can get invalid_grant when the authorization code has been consumed already or does not exist.

You might have sent an incorrect token request before, which then invalidated the authorization_code. Make sure to use a freshly generated authorization_code.

Rafiq answered 16/8, 2022 at 12:12 Comment(0)

You don't need a client secret when using PKCE, which is explicitly designed for UI clients that can't keep one.

Your request and the overall behaviour both look entirely correct:

An Authorization Code can be used once only
If you try to use it again you get an invalid_grant error

Are you getting errors in real UIs or only with a cURL command? If it helps you can run my Sample UI and trace the HTTP messages, then compare to your own solution.

Migrant answered 5/8, 2020 at 12:39 Comment(0)

In my case, this one was happening because this scope was not selected.

Parker answered 21/9, 2023 at 3:43 Comment(2)

In my case, because allowed scopes was not set in the user pool's app client's hosted UI: aws cognito-idp describe-user-pool-client --query UserPoolClient.AllowedOAuthScope – Affra 25/4 at 11:3

In my case, I didn't have AllowedOAuthScopes and AllowedOAuthFlowsUserPoolClient set – Affra 25/4 at 14:6

Recommended topics

Hot tags