trying my first application using a RESTful API along with a cognito authorizer. But getting an

{
  "error": "invalid_scope"
}

when trying to get my token from the

POST <https://service-api-pool-domain-jedi-master.auth.us-east-1.amazoncognito.com/oauth2/token>

here’s my infra code:

import * as cognito from "@aws-cdk/aws-cognito";
import * as apiAuthorizers from "@aws-cdk/aws-apigatewayv2-authorizers";
import * as sst from "@serverless-stack/resources";

export default class MyStack extends sst.Stack {
  constructor(scope, id, props) {
    super(scope, id, props);

    //Create user pool
    const userPool = new cognito.UserPool(this, "UserPool", {
      userPoolName: "UserPool"
    })

    new cognito.CfnUserPoolResourceServer(this, "dev-userpool-resource-server", {
      identifier: "vehicles",
      name: "vehicles api",
      userPoolId: userPool.userPoolId,
      scopes: [
        {
          scopeDescription: "Get vehicles",
          scopeName: "read",
        },
      ],
    });

    const userPoolClient = new cognito.UserPoolClient(this, "UserPoolClient", {
      userPool,
      generateSecret: true,
      preventUserExistenceErrors: true,
      oAuth: {        
        flows: {
          clientCredentials: true,
        },
        scopes: [cognito.OAuthScope.custom("vehicles/read")]
      },
      authFlows: {
        userSrp: true,
        refreshToken: true
      },
      supportedIdentityProviders: [cognito.UserPoolClientIdentityProvider.COGNITO]
    })

    new cognito.UserPoolDomain(this, "UserPoolDomain", {
      userPool,
      cognitoDomain: {
        domainPrefix: 'service-api-pool-domain-jedi-master'
      }
    })

    // Create the HTTP API
    const api = new sst.Api(this, "Api", {
      defaultAuthorizer: new apiAuthorizers.HttpUserPoolAuthorizer({
        userPool,
        userPoolClient
      }),
      defaultAuthorizationType: sst.ApiAuthorizationType.JWT,
      routes: {
        "GET /vehicles": "src/list.main",
        "GET /vehicles/{id}": "src/get.main",
        "PUT /vehicles/{id}": "src/update.handler"
      },
    });

    // Show API endpoint in output
    this.addOutputs({
      "ApiEndpoint": api.url,
    });
  }
}

Hey @Marcelo Olivas, I haven’t used the setup in your snippet. Is there a working example/tutorial you are following? I can try to spot the difference 🤔

Thanks for the reply @Frank. There is no working example because this is a server-to-server integration. I have everything in my repo here https://github.com/mfolivas/aws-serverless-nodejs-sst-api-gw

This is probably not related, but you can use

userPool.addResourceServer()

instead of this:

new cognito.CfnUserPoolResourceServer(this, "dev-userpool-resource-server", {
      identifier: "vehicles",
      name: "vehicles api",
      userPoolId: userPool.userPoolId,
      scopes: [
        {
          scopeDescription: "Get vehicles",
          scopeName: "read",
        },
      ],
    });

https://docs.aws.amazon.com/cdk/api/latest/docs/aws-cognito-readme.html#resource-servers

I’m just not sure if I need to setup the scope. If I want to have a server-to-server can I just have this:

const userPool = new cognito.UserPool(this, "UserPool", {
      userPoolName: "UserPool"
    })

    const userPoolClient = new cognito.UserPoolClient(this, "UserPoolClient", {
      userPool,
      generateSecret: true,
      preventUserExistenceErrors: true,
      authFlows: {
        userSrp: true,
        refreshToken: true
      },
      supportedIdentityProviders: [cognito.UserPoolClientIdentityProvider.COGNITO]
    })

    new cognito.UserPoolDomain(this, "UserPoolDomain", {
      userPool,
      cognitoDomain: {
        domainPrefix: 'service-api-pool-domain-jedi-master'
      }
    })

I still get the error:

invalid_scope

.🤷‍♂️