amplify-js: Federated user fails to update mutable attributes with a 400 response: "Access Token does not have required scopes"

Describe the bug Using “aws-amplify”: “3.0.22”, when a federated user from an external identity provider (e.g. Google) tries to update a mutable (in my case custom) attribute, it gets a 400 error as follows:

code: "NotAuthorizedException" message: "Access Token does not have required scopes" name: "NotAuthorizedException"

Please note that an internal user can successfully update the attribute and hence, all the scopes on the client and Cognito sides are set correctly.

To Reproduce Steps to reproduce the behavior:

Setup an external identity provider e.g. Google and enable it on the app client settings
Configure right readable and writable attributes
Use the following code to update an attribute

const user = await Auth.currentAuthenticatedUser(); const result = await Auth.updateUserAttributes(user, { 'custom:role':'myRole'});

Expected behavior Be able to update a mutable attribute which is not mapped from the external identity provider

Observed behavior 400 response code:

https://cognito-idp.ap-southeast-2.amazonaws.com/ 400 (anonymous) @ VM284:1 request @ Client.js:101 updateAttributes @ CognitoUser.js:1011 (anonymous) @ Auth.ts:1035 Promise.then (async) (anonymous) @ Auth.ts:1025 AuthClass.updateUserAttributes @ Auth.ts:1024 (anonymous) @ authSlice.js:214 async function (async) (anonymous) @ authSlice.js:213 (anonymous) @ index.js:8 (anonymous) @ immutableStateInvariantMiddleware.ts:262 dispatch @ VM287:1 handleSetRole @ Role.js:23 onClick @ Role.js:55 onClick @ Button.js:52 callCallback @ react-dom.development.js:188 invokeGuardedCallbackDev @ react-dom.development.js:237 invokeGuardedCallback @ react-dom.development.js:292 invokeGuardedCallbackAndCatchFirstError @ react-dom.development.js:306 executeDispatch @ react-dom.development.js:389 executeDispatchesInOrder @ react-dom.development.js:411 executeDispatchesAndRelease @ react-dom.development.js:3278 executeDispatchesAndReleaseTopLevel @ react-dom.development.js:3287 forEachAccumulated @ react-dom.development.js:3259 runEventsInBatch @ react-dom.development.js:3304 runExtractedPluginEventsInBatch @ react-dom.development.js:3514 handleTopLevel @ react-dom.development.js:3558 batchedEventUpdates$1 @ react-dom.development.js:21871 batchedEventUpdates @ react-dom.development.js:795 dispatchEventForLegacyPluginEventSystem @ react-dom.development.js:3568 attemptToDispatchEvent @ react-dom.development.js:4267 dispatchEvent @ react-dom.development.js:4189 unstable_runWithPriority @ scheduler.development.js:653 runWithPriority$1 @ react-dom.development.js:11039 discreteUpdates$1 @ react-dom.development.js:21887 discreteUpdates @ react-dom.development.js:806 dispatchDiscreteEvent @ react-dom.development.js:4168 authSlice.js:220 {code: "NotAuthorizedException", name: "NotAuthorizedException", message: "Access Token does not have required scopes"}

What is Configured? :

{
 Auth: {
     identityPoolId: 'XX-XXXX-X:XXXXXXXX-XXXX-1234-abcd-1234567890ab',
     region: 'XX-XXXX-X',
     identityPoolRegion: 'XX-XXXX-X',
     userPoolId: 'XX-XXXX-X_abcd1234',
     userPoolWebClientId: 'a1b2c3d4e5f6g7h8i9j0k1l2m3',
     mandatorySignIn: false,
     oauth: {
         domain: 'your_cognito_domain',
         scope: ['phone', 'email', 'profile', 'openid'],
         redirectSignIn: 'http://localhost:3000/',
         redirectSignOut: 'http://localhost:3000/',
         responseType: 'code' 
        }
    }
}

About this issue

Original URL
State: closed
Created 4 years ago
Reactions: 2
Comments: 15 (3 by maintainers)

Most upvoted comments

Closing this for now as we seem to have a working solution and have not heard back from the original poster. Thank you, @DeniferSantiago for pointing out this necessary step.

If anyone else tries this and it does not work for you, please open a new issue with the details of your particular project configuration.

chrisbonifacio on May 27, 2021

Hi. I too is having the same issue. I hope this gets resolve.

carloliwanag on Mar 11, 2021

Im having similar issues but just with retrieving user Attributes from my user pool. calling Auth.userAttributes gives me the same error

{
  code: "NotAuthorizedException"
  message: "Access Token does not have required scopes"
  name: "NotAuthorizedException"
}

nicolaseschneider on Nov 30, 2020

In summary the solution is to add “aws.cognito.signin.user.admin” with "amplify update auth" selecting “Walkthrough all the auth configurations” and in case of having custom attributes add them manually to "parameters.json" in the Auth module

DeniferSantiago on May 15, 2021

I found a solution, I was hopeful on the @leosoaivan comment but it didn’t work for me.

I became agnostic to cognito attributes as federated entity users couldn’t set them. Two weeks later I saw the need to update the auth module amplify update auth in the process it allowed me to choose the scope (something that did not appear when adding Facebook and Google as entities for my users) among which is aws.cognito.signin.user.admin I saw that it was not selected, as I had selected it like @ta1bbty in cognito and apparently it was not working. After that I tried setting the gender attribute of a user started with google and it worked.

The test was done after logging into a user with Google. Previously I wanted to update some attributes just after creating the user with Facebook or Google and it returned the error "Access Token does not have required scopes", I will try to test it in that scenario to confirm that my problem has been solved. I don’t know if any update has helped me or the solution was there before

DeniferSantiago on May 15, 2021

@pedramp20 might this be what you are looking?

The aws.cognito.signin.user.admin scope grants access to Amazon Cognito User Pool API operations that require access tokens, such as UpdateUserAttributes and VerifyUserAttribute.

It sounds as though you may be missing the aws.cognito.signin.user.admin scope in your app client settings.

leosoaivan on Jul 31, 2020