@mj_langford x is 26 characters and y is 51 characters. I was very surprised that this narrowed down to 4 characters
Wait never mind I sorted that out and the encoded hash now looks much better. Now I am getting {"error":"invalid_grant"}
I already have a user pool that I am trying to use. I did not set one up following the instructions in this blog post. I checked through their code to the best of my ability and believe my user pool is properly configured but it might not be
I trimmed the grant_type
from client_credentials&scope=transactions%2Fpost
to client_credentials
and I'm getting a token back! The token isn't allowing me quite to do what I want and unfortunately I'm getting pulled into a meeting. Will report back!
@brian.rogers That error means your app is not allowed to use the Client Credential Oauth2 flow - a configuration setting in the Cognito User Pool. I doubt you should be using Client Credentials though. The point of a User Pool is to let Cognito handle your Oauth login flow, either through the authorization code or implicit grant types, the former being preferred. This means your JS frontend is built to route your users to Cognito for authorization (login screen) and eventually send your server application (API Gateway in this case) a access token with requests. I have not used API Gateway but can imagine it simply refers to Cognito for the validity of the received token. A more fine-grained approach is the use of Identity Pools for letting your users access AWS services with Identity Ids which can be referenced in IAM Role definitions to control access at the level of individual identity. In this scenario your frontend JS has to perform another AWS request to retrieve temporary credentials which are passed to AWS services (such as S3 and DynamoDB) instead of the access token. In short, you need to perform the proper routing on the frontend side to get an access token (try the implicit flow first), send the token within a header to API Gateway when making requests, configure API Gateway with the header-to-UserPool mapping.
I'll take a look at this. Thanks!
@mj_langford (or anyone) I'm getting a token back using the command
curl -X POST \
https://<my-domain>.<http://auth.us-east-2.amazoncognito.com/oauth2/token|auth.us-east-2.amazoncognito.com/oauth2/token> \
-H 'authorization: Basic <base64'd version of "<id>:<secret-id>"'> \
-H 'content-type: application/x-www-form-urlencoded' \
-d 'grant_type=client_credentials'
However I then go to try and validate the token in apigw I get unauthorized: https://gyazo.com/b818c99e2acd46bcf3e185f20e1c2b28
I don't quite understand how I could be getting a token back from my user pool which is then rejected a moment later