OAuthCallbackError : AWS Cognito with federate

[satya1395]

Environment

System:
OS: macOS 13.5
CPU: (10) arm64 Apple M1 Pro
Memory: 730.44 MB / 32.00 GB
Shell: 5.9 - /bin/zsh
Binaries:
Node: 18.5.0 - ~/.asdf/installs/nodejs/18.5.0/bin/node
npm: 9.8.1 - ~/.asdf/plugins/nodejs/shims/npm
Browsers:
Safari: 16.6

Reproduction URL

google.com

Describe the issue

I am using the Next-Auth AWS Cognito Federated Provider. I am successfully redirected to federate and able to login, but the redirect to the callback URL fails with the following error on the server console. how can i resolve this ?

Also, I tracked network calls and i think something is wrong when next-auth gets the callback request with code and status as below:

Request URL:
http://localhost:3000/api/auth/callback/cognito?code=99df76d3-....&state=ojGqBtR...
Type: Get
Status: 302 found


Response headers:
http://localhost:3000/api/auth/error?error=OAuthCallback

I don't understand why the console error says invalid client when federate goes through successfully and return code and state back to callbackurl.

[next-auth][error][OAUTH_CALLBACK_ERROR] 
https://next-auth.js.org/errors#oauth_callback_error invalid_client {
  error: OPError: invalid_client
      at processResponse (webpack-internal:///(rsc)/./node_modules/openid-client/lib/helpers/process_response.js:35:19)
      at Client.grant (webpack-internal:///(rsc)/./node_modules/openid-client/lib/client.js:1191:28)
      at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
      at async Client.callback (webpack-internal:///(rsc)/./node_modules/openid-client/lib/client.js:406:30)
      at async oAuthCallback (webpack-internal:///(rsc)/./node_modules/next-auth/core/lib/oauth/callback.js:118:22)
      at async Object.callback (webpack-internal:///(rsc)/./node_modules/next-auth/core/routes/callback.js:18:79)
      at async AuthHandler (webpack-internal:///(rsc)/./node_modules/next-auth/core/index.js:202:38)
      at async NextAuthRouteHandler (webpack-internal:///(rsc)/./node_modules/next-auth/next/index.js:50:30)
      at async NextAuth._args$ (webpack-internal:///(rsc)/./node_modules/next-auth/next/index.js:84:24)
      at async eval (webpack-internal:///(rsc)/./node_modules/next/dist/server/future/route-modules/app-route/module.js:254:37) {
    name: 'OAuthCallbackError',
    code: undefined
  },
  providerId: 'cognito',
  message: 'invalid_client'

How to reproduce

1. Create conginto user pool and add federate provider with openid
   Cognito web client is using below settings

Authentication flows
ALLOW_REFRESH_TOKEN_AUTH
ALLOW_CUSTOM_AUTH
ALLOW_USER_SRP_AUTH

Allowed callback URLs
http://localhost:3000
http://localhost:3000/api/auth/callback/cognito

OAuth grant types
Authorization code grant

OpenID Connect scopes
email
openid
phone
profile

2. Use following code to sign in using cognito provider

I am using nextjs13 app directory with middleware.

middleware.ts

export { default } from "next-auth/middleware";

Api/[...nextauth].route.ts

import { authOptions } from "../../../../lib/auth";
import NextAuth from "next-auth";const handler = NextAuth(authOptions);
export { handler as GET, handler as POST };

../../../../lib/auth

import NextAuth, { NextAuthOptions } from 'next-auth';
import CognitoProvider from 'next-auth/providers/cognito'

export const authOptions: NextAuthOptions = {providers: 
  providers: [CognitoProvider({
    clientId: process.env.COGNITO_CLIENT_ID,
    clientSecret: process.env.COGNITO_CLIENT_SECRET,
    issuer: process.env.COGNITO_ISSUER_URL,
    checks: "nonce",
    idToken: true,
    authorization: { params: { scope: 'openid profile email' } },
  })],
  secret: process.env.NEXTAUTH_SECRET,
  debug: true,
}

export default NextAuth(authOptions);

Expected behavior

next-auth redirects to localhost:3000 with code and state

[satya1395]

The error logging was incorrect. The issue was coming incorrect attribute mapping of email.

[rowanfreeman]

What do you mean by this, sorry? I'm getting the same error and have no idea how to resolve this.

[igorsimko]

@rowanfreeman I had same issue (running WSL) and then I noticed I had weird line ending \r in Cognito client id and secrets. Try to trim envs or use different line ending, maybe that helps

[littletuna4]

Did you solve @rowanfreeman?