invalid_request error on AWS Cognito Custom UI Page

Question

when going to the custom AWS Cognito UI Page:

https://<your_domain>/login?response_type=code&client_id=<your_app_client_id>

am getting the following error:

An error was encountered with the requested page.

View error

invalid_request

Answer 1

O-Auth options need to be check as shown in the following picture

from https://aws.amazon.com/blogs/aws/launch-amazon-cognito-user-pools-general-availability-app-integration-and-federation/

Answer 2

You need the following in the App client Settings of your user pool:

• Enable Cognito User Pool as "Identity Provider".
• Allowed "OAuth Scopes" should have openid enabled.

Answer 3

In my case, it appears there was some issue with verifying the phone number. So switched back to email.

This document is good for checking everything.

https://aws.amazon.com/blogs/aws/launch-amazon-cognito-user-pools-general-availability-app-integration-and-federation/

Answer 4

TLDR: If you use an AWS User Pool with Cognito App Client and have an Application Load Balancer that is exposed via a custom DNS entry (e.g. custom-domain.com, which has to be secured via SSL), use this custom domain for the Cognito App Client's callback URL (i.e. https://custom-domain.com/oauth2/idpresponse) instead if the random DNS name created by AWS.

I had the same error and this issue solved it for me. I used a User Pool with a Cognito App Client and as callback URL I first used the DNS name that AWS created for it (<load balancer name>-<random number>.<region>.elb.amazonaws.com, i.e. "callbackUrl": "https://<load balancer name>-<random number>.<region>.elb.amazonaws.com/oauth2/idpresponse). I also created a DNS record for a custom domain to expose the load balancer to the internet and secured it via SSL. As a result, the certificate was not valid for the URL created by AWS, but only my custom domain. The Cognito App Client was thus trying to access the URL with the invalid SSL certificate and returned the error.