amplify-js: cognito-idp.eu-central-1.amazonaws.com: Access Token does not have required scopes (Http - 400)
** Which Category is your question related to? ** Auth
** What AWS Services are you utilizing? ** AWS Cognito
** Provide additional details e.g. code snippets ** For some requests to “cognito-idp.eu-central-1.amazonaws.com” I get the error:
x-amzn-errormessage: Access Token does not have required scopes
x-amzn-errortype: NotAuthorizedException:
I think that the call Auth.currentSession has this consequence.
Request Header:
Content-Type: application/x-amz-json-1.1
Origin: http://localhost:4200
Referer: http://localhost:4200/admin
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
X-Amz-Target: AWSCognitoIdentityProviderService.GetUser
X-Amz-User-Agent: aws-amplify/0.1.x js
Request Payload:
AccessToken: "MyAccessToken"
Response Header:
access-control-allow-origin: *
access-control-expose-headers: x-amzn-RequestId,x-amzn-ErrorType,x-amzn-ErrorMessage,Date
content-length: 90
content-type: application/x-amz-json-1.1
date: Mon, 15 Oct 2018 15:25:00 GMT
status: 400
x-amzn-errormessage: Access Token does not have required scopes
x-amzn-errortype: NotAuthorizedException:
x-amzn-requestid: My Request ID
General:
Request URL: https://cognito-idp.eu-central-1.amazonaws.com/
Request Method: POST
Status Code: 400
Remote Address: Remote-Adress
Referrer Policy: no-referrer-when-downgrade
The amplify Configuration (manual):
let amplifyConfig = {
aws_appsync_graphqlEndpoint: config.getAppsyncConfig("aws_appsync_graphqlEndpoint"),
aws_appsync_region: config.getAppsyncConfig("aws_appsync_region"),
aws_appsync_authenticationType: config.getAppsyncConfig("aws_appsync_authenticationType"),
aws_appsync_apiKey: config.getAppsyncConfig("aws_appsync_apiKey"),
Auth: {
identityPoolId: config.getCognitoConfig("identityPool"),
// REQUIRED - Amazon Cognito Region
region: config.getCognitoConfig("region"),
// OPTIONAL - Amazon Cognito User Pool ID
userPoolId: config.getCognitoConfig("userPool"),
// OPTIONAL - Amazon Cognito Web Client ID (26-char alphanumeric string)
userPoolWebClientId: config.getCognitoConfig("userPoolClient"),
},
Analytics: {
disabled: true,
},
API: {
graphql_endpoint: config.getAppsyncConfig("aws_appsync_graphqlEndpoint"),
aws_appsync_region: config.getCognitoConfig("region"),
aws_appsync_authenticationType: 'AMAZON_COGNITO_USER_POOLS', // You have configured Auth with Amazon Cognito User Pool ID and Web Client Id
}
};
Amplify.configure(amplifyConfig);
On the configured IdentityPool, Enable access to unauthenticated identities is activated.
The UnauthRole has the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"mobileanalytics:PutEvents",
"cognito-sync:*"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
callstack in Browser:
zone.js:1050 POST https://cognito-idp.eu-central-1.amazonaws.com/ 400
(anonymous) @ zone.js:1050
request @ Client.js:47
refreshSession @ CognitoUser.js:1210
getSession @ CognitoUser.js:1171
(anonymous) @ Auth.js:951
push../node_modules/zone.js/dist/zone.js.ZoneDelegate.invoke @ zone.js:388
onInvoke @ core.js:3820
push../node_modules/zone.js/dist/zone.js.ZoneDelegate.invoke @ zone.js:387
push../node_modules/zone.js/dist/zone.js.Zone.run @ zone.js:138
(anonymous) @ zone.js:872
push../node_modules/zone.js/dist/zone.js.ZoneDelegate.invokeTask @ zone.js:421
onInvokeTask @ core.js:3811
push../node_modules/zone.js/dist/zone.js.ZoneDelegate.invokeTask @ zone.js:420
push../node_modules/zone.js/dist/zone.js.Zone.runTask @ zone.js:188
drainMicroTaskQueue @ zone.js:595
Promise.then (async)
scheduleMicroTask @ zone.js:578
push../node_modules/zone.js/dist/zone.js.ZoneDelegate.scheduleTask @ zone.js:410
push../node_modules/zone.js/dist/zone.js.Zone.scheduleTask @ zone.js:232
push../node_modules/zone.js/dist/zone.js.Zone.scheduleMicroTask @ zone.js:252
scheduleResolveOrReject @ zone.js:862
ZoneAwarePromise.then @ zone.js:962
ZoneAwarePromise.catch @ zone.js:967
authEvent @ index.js:88
push../node_modules/@aws-amplify/analytics/lib/index.js.Analytics.onHubCapsule @ index.js:39
(anonymous) @ Hub.js:62
push../node_modules/@aws-amplify/core/lib/Hub.js.HubClass.toListeners @ Hub.js:60
push../node_modules/@aws-amplify/core/lib/Hub.js.HubClass.dispatch @ Hub.js:35
dispatchAuthEvent @ Auth.js:55
push../node_modules/@aws-amplify/auth/lib/Auth.js.AuthClass.configure @ Auth.js:186
(anonymous) @ Amplify.js:25
push../node_modules/@aws-amplify/core/lib/Amplify.js.Amplify.configure @ Amplify.js:24
./src/main.ts @ main.ts:45
__webpack_require__ @ bootstrap:76
0 @ main.ts:109
__webpack_require__ @ bootstrap:76
checkDeferredModules @ bootstrap:43
webpackJsonpCallback @ bootstrap:30
(anonymous) @ main.js:1
At the IdentityPool a UserPool is configured as Authentication Provider.
How can I solve this issue?
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Reactions: 2
- Comments: 18 (3 by maintainers)
@ChrisWun I just had this issue too. I checked “aws.cognito.signin.user.admin” under the “Allowed OAuth Scopes”, which didn’t fix the issue by itself. I also had to add “aws.cognito.signin.user.admin” to the scopes in the login URL.
Hey there Chris,
I just ran into this. In our case it was that the “aws.cognito.signin.user.admin” under “Allowed OAuth Scopes” under “App client settings” of the pool was unchecked and checking that fixed it for us.
Good luck!
Cheers,
Mark C
PS we were using the hosted UI, cognito pool login
Is it a good idea to use this scope for tokens just to avoid this error? If this scope is not used, it seems like the library should avoid making this request.
Is enabling this scope safe?
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-idp-settings.html