CreateUserPoolClientCommand using oauth & client credentials incorrectly returns invalid_grant error until I edit in the console

[bee-drouen]

Checkboxes for prior research

• I've gone through Developer Guide and API reference
• I've checked AWS Forums and StackOverflow.
• I've searched for previous similar issues and didn't find any solution.

Describe the bug

When I try to create a cognito app client via the SDK, it successfully adds the client but I can't use it for oauth as I receive invalid_grant

If I then manually edit the created client login pages screen without making any changes, I am able to connect just fine

Regression Issue

• Select this option if this issue appears to be a regression.

SDK version number

@aws-sdk/client-cognito-identity-provider@3.828.0

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

Via a lambda, Node.js 22.x, arn:aws:lambda:eu-west-1::runtime:7380cd97a4dc4552c08aa3ecd40a634ea0a354f2be17845e3f635af2a55a0403

Reproduction Steps

I am using a Cognito User Pool with a custom domain attached, and I want to be able to create new App Clients with code

Minimal Example

  const cognitoClient = new CognitoIdentityProviderClient({
    region: 'eu-west-1',
  })

  const userPoolClient = await cognitoClient.send(new CreateUserPoolClientCommand({
    ClientName: 'Example Client',
    UserPoolId: userPoolId, // this is a valid userPoolId
    EnableTokenRevocation: true,
    AllowedOAuthFlows: ['client_credentials'],
    AllowedOAuthScopes: ['resource-server/all'], // I have only tested with 5 oauth scopes attached
    GenerateSecret: true,
    SupportedIdentityProviders: ['COGNITO'],
  }))

When I run the above, a user pool client is created and the settings all look correct, but when I try to connect to it using the credentials in cognito, and via my custom domain, I receive:

{"error":"invalid_grant"}

If I visually compare the newly created app client with one I am able to oauth into, they appear to be identically configured

If I then:

• Go into the aws console
• Navigate to cognito => user pools => {user pool name} => App Clients => Example Client => Login pages
• I click 'Edit'
• I make zero changes on this page
• I save my changes

Then when I retry the exact same request to oauth into the user pool, it now works

Observed Behavior

The client credentials oauth fails with reason invalid_grant, unless I manually edit in login_pages

Expected Behavior

To be able to connect without having to manually edit

Possible Solution

My main theory is that clicking edit on the login pages either:

• Performs some additional validation, fixing a subtle error I'm not seeing without user input, OR
• Wipes out a cache in cloudfront that means I'm now able to connect with the new client

Whatever it does differently, CreateUserPoolClientCommand should probably do the same

Additional Information/Context

I did try to make a no-op edit using UpdateUserPoolClientCommand, but that didn't work

The use of a custom domain may be relevant

[bee-drouen]

After circling back this week, it seems if I add

AllowedOAuthFlowsUserPoolClient: true

To the CreateUserPoolClientCommand payload, I am able to create the user pool & immediately use it via postman oauth

This is from the current API reference docs here: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UserPoolClientType.html

Set to true to use OAuth 2.0 authorization server features in your app

This parameter must have a value of true before you can configure the following features in your app client.

• CallBackURLs: Callback URLs.
• LogoutURLs: Sign-out redirect URLs.
• AllowedOAuthScopes: OAuth 2.0 scopes.
• AllowedOAuthFlows: Support for authorization code, implicit, and client credentials OAuth 2.0 grants.
• To use authorization server features, configure one of these features in the Amazon Cognito console or set AllowedOAuthFlowsUserPoolClient to true in a CreateUserPoolClient or UpdateUserPoolClient API request. If you don't set a value for AllowedOAuthFlowsUserPoolClient in a request with the AWS CLI or SDKs, it defaults to false. When false, only SDK-based API sign-in is

Type: Boolean

Required: No

I did miss that the field was required, but I think it will make for a nicer developer experience if sending the command with AllowedOauthFlows etc. without AllowedOAuthFlowsUserPoolClient present throws an error, since it seems that's a misconfiguration

[aBurmeseDev]

Hi @bee-drouen - thanks for reaching out and also appreciate you for reporting back.

Apologies for the confusion around AllowedOAuthFlowsUserPoolClient although it looks like it's specified in the service API model, see here. These changes are only made by service team upstream and we (SDK) don't make any changes to the generated client models, unfortunately.

However, I can probably pass this feedback to service team internally to improve developer experience. Please let me know if you have any other questions here.

[github-actions]

This issue has not received a response in 1 week. If you still think there is a problem, please leave a comment to avoid the issue from automatically closing.

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.