405 method not allowed error in AWS Cognito oauth2/token endpoint

Question

I'm using AWS Cognito UI for login using authorization code grant flow and successfully getting the authorization code. But getting an 405 method not allowed error when post request is made to oauth2/token endpoint via postman

The app client is setup in Cognito User Pool with app secret passing appclientid:appclientsecret as authorization in base64 encoding.

Answer 1

As stated in the documentation:

Content-Type Must always be 'application/x-www-form-urlencoded'.

Source: https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html

Answer 2

Use BasicAuth of Authentication and provide Username = client_id , Password = client_secret

Use POST method

Use Body = x-www-form-urlencoded

Dont forget to use State value in Body as well.

Answer 3

I had a similar problem. In my case I had to change the Accept header to */* .

When I had it as Accept=text/html,application/xhtml+xml,application/xml it responded with 405 to the /token endpoint. Hopefully that helps somebody.

Answer 4

I was writing code in c# for token with authorization_code grant type and all calls were failing with 405 Method Not Allowed status.

According to AWS documentation following URL and parameters should be used

POST https://mydomain.auth.us-east-1.amazoncognito.com/oauth2/token&
Content-Type='application/x-www-form-urlencoded'&
Authorization=Basic aSdxd892iujendek328uedj

grant_type=authorization_code&
client_id=djc98u3jiedmi283eu928&
code=AUTHORIZATION_CODE&
redirect_uri=com.myclientapp://myclient/redirect

After spending 2 hours, I found out, removing & from URL would solve the issue, so make sure your request looks like this

POST https://mydomain.auth.us-east-1.amazoncognito.com/oauth2/token
Content-Type='application/x-www-form-urlencoded'
Authorization=Basic aSdxd892iujendek328uedj

grant_type=authorization_code&
client_id=djc98u3jiedmi283eu928&
code=AUTHORIZATION_CODE&
redirect_uri=com.myclientapp://myclient/redirect

Answer 5

Well, just in case it helps anybody.

I was facing a 405 in Postman while trying to retrieve the respective jwt tokens (id_token, access_token, refresh_token) using the grant_type as authorization_code.

reason being the headers section where I was using 'application/x-www-form-urlencoded' as value for Content-Type ie with single quotes. So, when I removed these single quotes and only used application/x-www-form-urlencoded right away, it started working.

Answer 6

I resolved this error 405 method not allowed error in AWS Cognito oauth2/token endpoint by making my code as below mentioned, and it worked fine. I took help from this link and use the correct format to mention both header and body parameters in the fetch request:

https://formcarry.com/documentation/fetch-api-example

  const requestOptions = {
    method: "POST",
    headers: {
      "Content-Type": "application/x-www-form-urlencoded",
      "Authorization": `Basic ${authData}`,
      "Accept": "application/json"            
    },
    body: `grant_type=${config.grant_type}&code=${code}&client_id=${config.clientId}&redirect_uri=${config.loginRedirectUri}`
  }
        
  fetch(`${config.domainUrl}/oauth2/token`, requestOptions)
    .then(response => response.json())
    .then(data => {
      sessionStorage.setItem("access_token",data.access_token)
      fetchUserDetails(data.access_token)
    })

I used a config file to save variables.

const config = {
  domainUrl: "https://domainname.auth.origin.amazoncognito.com",
  clientId: "xxxxxxxxxxxx",
  loginRedirectUri: "http://localhost:8000/redirecturi",
  grant_type: "authorization_code",
  logoutUri: "http://localhost:8000",
  clientSecret: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}

Answer 7

I had the same issue, although using client_credentials rather than authorization_code.

In Postman I was using basic auth with a valid client_id / client_secret as username/password, made sure the Content-Type: application/x-www-form-urlencoded header was there, and set the body ( raw/json ) to:

{
"client_id": {client_id},
"grant_type": "client_credentials",
"scope": {client_scope}
}

However, I was still getting the 405: Method Not Allowed error. I eventually figured out that I could switch the body type to x-www-form-urlencoded in Postman, re-entered the body parameters and now it's working.

Answer 8

        var strClientSecret = $"{"your_clientId"}:{"your_clientsecret"}";
        var client = new HttpClient();
        var body = new Dictionary<string, string>();
        body.Add("grant_type", "client_credentials");
        body.Add("client_id", "your_appclientid");
        body.Add("redirect_uri", "your_callbackurl");

        var content = new FormUrlEncodedContent(body);
        var autho = System.Text.Encoding.UTF8.GetBytes(strClientSecret);
        var base64Autho = System.Convert.ToBase64String(autho);
        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic", base64Autho);

        client.DefaultRequestHeaders.TryAddWithoutValidation("Content-Type", "application/x-www-form-urlencoded");

        var response = await client.PostAsync("https://your_domain.auth.ap-south-1.amazoncognito.com/oauth2/token", content);

Answer 9

in my case after upgrade axios from v0.xx to v1.xx I changed

headers: { 'content-type': 'application/x-www-form-urlencoded' },

to

headers: { 'Content-Type': 'application/x-www-form-urlencoded' },

With capital letters in Content-Type

Answer 10

And to make the picture complete, if your Host header is not set or not the same as the domain that you are posting to, you will also get a 405 (Method not allowed).