Cognito - Client is not enabled for OAuth2.0 flows

Question

I've successfully set up an AWS Cognito environment that runs on Localhost following this tutorial.

For the next step, I published the app to my external web server. I confirmed that the Cognito configuration (i.e. Client ID, Metadata Address, Region, etc) is correct. However, when I access and try to sign into the newly published public site I receive the follow error: " Client is not enabled for OAuth2.0 flows."

EDIT:

Here are my App Client Settings

I would like help with what I should look into in the AWS Cognito config or the Server config settings. The server is NOT using a load balancer. I believe the issue may lie somewhere in the Reverse Proxy or HTTPS settings.

I had the same issue and it was due to the upper-case which I used on the callback url. I simply used all lower case to fix it. — Anish, Mar 20 '20 at 20:56

score 47 · Answer 1 · answered Feb 16 '20 at 18:34

47

I have seen this issue before. When making the request to Cognito, please take a close look at the redirect URL/ Call back URL you are specifying. If I remember correctly, I have seen this issue if you have a trailing '/' or a missing '/' in the redirect URL depending on what you have specified in the App Client Settings.

answered Feb 16 '20 at 18:34

callo

1,374
8
12

That was the case for me, an additional "/"... Thanks! – Tobi Jun 01 '20 at 13:18
I had to *add* a trailing "/" in my App Client settings, in the callback / signout URLs! – simlmx Oct 01 '20 at 01:13
I had to **add** a trailing "/" in my callback URLs too. That was all it needed. – MarkC Oct 29 '20 at 22:29

score 31 · Answer 2 · answered May 13 '20 at 00:27

31

This also occurs when you set up Cognito using Cloudformation or AWS SAM, and forgot to enable AllowedOAuthFlowsUserPoolClient property to true.

Resources:
  FooBarUserPoolClient:
    Type: AWS::Cognito::UserPoolClient
    Properties:
      AllowedOAuthFlowsUserPoolClient: True # Set here

answered May 13 '20 at 00:27

hakatashi

9,006
2
22
22

1

It was my case and it worked for me. – Juan Andres Mar 09 '22 at 21:48
1

Same, life saver! – Hancs Jan 14 '23 at 19:41
For terraform users, the equivalent setting is allowed_oauth_flows_user_pool_client in the aws_cognito_user_pool_client resource. – celion Feb 23 '23 at 16:43

score 13 · Answer 3 · edited Oct 24 '20 at 14:57

13

TLDR: In addition to previous answers, make sure your callback URL is in lower case.

Long Answer: I encountered the same error. In my case, I had copied the DNS name of my Application Load Balancer from the description window of the Load Balancer page where there was varied casing

So I put the below into the callback URL and encountered the error in question:

https://*AppLBTest*-123456123456.ap-southeast-1.elb.amazonaws.com/oauth2/idpresponse

After changing the callback URL to the below, auth worked as expected:

https://*applbtest*-123456123456.ap-southeast-1.elb.amazonaws.com/oauth2/idpresponse

edited Oct 24 '20 at 14:57

Saeed Nasehi

940
1
11
27

answered Oct 23 '20 at 23:48

Tsdev

139
1
2

7

This is ridiculous. Yet it fixed my issue. Thanks! – Kelly Denehy Apr 12 '21 at 17:25
1

also fixed my issue. if you are using an ALB, make sure you put the DNS name in lowercase for the callback url! – dataviews Sep 13 '21 at 05:43

score 12 · Answer 4 · answered Aug 22 '21 at 16:20

I understand OP has not asked to use terraform for this issue, but it might help someone in the future who is using terraform to create cognito user pool client. If you are getting this issue, like me, while using terraform make sure to set allowed_oauth_flows_user_pool_client to true. For example, like this:

resource "aws_cognito_user_pool_client" "client" {
  name = "<your user pool client name>"
...
  allowed_oauth_flows_user_pool_client = true
}

Here is the link to terraform doc for creating user pool client.

And here is the link to the AWS doc where it says you have to set the attribute AllowedOAuthFlowsUserPoolClient to true. This attribute maps to the same allowed_oauth_flows_user_pool_client = true in terraform.

This comment just saved me, thank you! You would figure terraform/hashicorp would document these things — coolestdude1, Mar 03 '23 at 16:15

score 1 · Answer 5 · answered Jun 21 '22 at 09:03

For those of you coming here, and seeing the CloudFormation answer above, this is also true if you update the UserPoolClient via the cli as follows:

aws cognito-idp update-user-pool-client --user-pool-id "USER_POOL_ID" --client-id "CLIENT_ID"
  --callback-urls "https://URL_1/" "http://URL_2/" --supported-identity-providers "IDP_NAME"
  --allowed-o-auth-flows "code" --allowed-o-auth-scopes "SCOPE"

The issue is that (and it all looks ok from the console) the client is not enabled for OAuth2 flows if not explicitly specified. From the doc:

Warning If you don't provide a value for an attribute, it will be set to the default value.

.. for:

--allowed-o-auth-flows-user-pool-client

the default is not present, so you need to ensure that you add the param, so the correct call is:

aws cognito-idp update-user-pool-client --user-pool-id "USER_POOL_ID" --client-id "CLIENT_ID"
  --callback-urls "https://URL_1/" "http://URL_2/" --supported-identity-providers "IDP_NAME"
  --allowed-o-auth-flows "code" --allowed-o-auth-scopes "SCOPE" --allowed-o-auth-flows-user-pool-client

Hope this helps someone else landing here ...

score -1 · Accepted Answer · answered Apr 03 '20 at 13:35

-1

This issue was not a cognito problem but rather an IIS and HTTPs issue. Make sure your servers are completely HTTPS if you plan to use this AWS service. Leave comments with any questions.

answered Apr 03 '20 at 13:35

objectively C

960
9
25

Cognito - Client is not enabled for OAuth2.0 flows

6 Answers6