TIP: Using AWS Cognito User pool for API Authorization
There are tons of sites which explain how to do API Authorization using AWS Cognito User Pool like this, this, this or this and this and maybe this and finally this.
In spite of following all this some of you might get this dreaded error when calling the API with the Authorization header inside of the AWS API Gateway console and via Postman.
{
“message”: “Unauthorized”
}
x-amzn-ErrorType — NotAuthorizedException
I spent some 5 straight days debugging (in my office break) to no avail. But to my luck while running a AWS CLI command to generate a Token key, I got this below error.
An error occurred (NotAuthorizedException) when calling the InitiateAuth operation: Unable to verify secret hash for client
Searching for this issue I reached this post in Stackoverflow where someone had mentioned the below line
It seems that currently AWS Cognito doesn’t handle client secret perfectly. It will work in the near future but as for now it is still a beta version. For me it is working fine for an app without a client secret but fails for an app with a client secret. So in your user pool try to create a new app without generating a client secret. Then use that app to signup a new user or to confirm registration.
Then you realise that OMG! I had clicked on the “Generate Secret Key” while adding a new client in the AWS User Pool Add Client section.
I created a new User pool with another App client without clicking this generate client secret and life was good finally. I got the proper 200 OK response!!!. So in case you are not in need of the secret key then you can very well disable it or don’t generate. I haven’t dived deep to find out what is causing this issue but I will do so soon and will also check with the internal AWS team to understand this better.
Please note that if you are building an App and connecting to Cognito then Client Secret becomes a need as it is part of the OAuth protocol
BTW, I don’t think I saw any tutorial out there in the wild which explains how to use the custom UI generated by Cognito (using Oauth) for User sign in etc. This seems like a cool one if you want to avoid the AWS CLI or Client SDK programs to generate tokens, change password etc. I can do a tutorial on that if I get some at least 15 claps for this story :).
Hope this helps. Till then!
