Call to AWSCognitoIdentityService.GetId for Cognito User Pools returns "Token is not from a supported provider of this identity pool."

Question

I am using the AWS sdk for javascript and I am trying to use the new Cognito User pool service. I am getting an error from the underlying http request, accessing the Cognito API function AWSCognitoIdentityService.GetId:

POST / HTTP/1.1
Host: cognito-identity.us-east-1.amazonaws.com
Connection: keep-alive
Content-Length: 985
Cache-Control: max-age=0
Origin: http://localhost:3000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Content-Type: application/x-amz-json-1.1
X-Amz-Content-Sha256: 9fba852db0a50678957c5be2a317ebce5edbb4580ad7cb1d7b524e2ff5bf95f7
X-Amz-Target: AWSCognitoIdentityService.GetId
X-Amz-User-Agent: aws-sdk-js/2.3.17
Accept: */*
Referer: http://localhost:3000/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8

Request payload:

{"IdentityPoolId":"us-east-1:f9a5b209-8ed6-405d-987c-eb2954d30d1c","Logins":{"cognito-idp.us-east-1.amazonaws.com/us-east-1_9ymEVPkkL":"eyJraWQiOiJQUFhBemRsVDg1K29kNzNvTFU4cnFzVUZORVJvVkh2aVJERGV4bzdISmJzPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiI0OTNlYjk5MS1iMTgyLTQxYzAtYmZhNC00N2M5YzViMzM1OTMiLCJhdWQiOiI3N3U3MnRidjN2M2M2MG1pZXFlNGhhbW8yOSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJ0b2tlbl91c2UiOiJpZCIsImF1dGhfdGltZSI6MTQ2ODk4OTY4MywiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5hbWF6b25hd3MuY29tXC91cy1lYXN0LTFfOXltRVZQa2tMIiwibmFtZSI6Ik5uZW5uYSBVZGVnYnVuYW0iLCJleHAiOjE0Njg5OTMyODMsImlhdCI6MTQ2ODk4OTY4MywiZW1haWwiOiJubmVubmFAZGFzaHBlZWsuY29tIn0.gItOyeKF3pu24aWtaUwPMQtcOAJu9TWqmYeT3N74zijI9QgfxL93fagZvVgsQj-rqtRSddVV05ZHJBXXZiUZdb3PnUDp48R_1Kiv1RhIvMqOO43RNyS9B7G4uD0cdM8S7OCaoJMXbDPwVH5jy_j9_anm7HgbRGi3JYLS10bIvvuqznxp75V6bxsTGhVGT8EHTui-l0yqLhLbPDM05JV0sOXANFS-BO4sYjgJ-VU8GrP6D49wbses524bMIDAIRN78me5WAFC6OzOqZQ9e_JNVbgs8pHaaDqpqTZq6RUGGUS0QykhDPoJImbS_tt5rGNrVFrDpKXcwJAD1hI5x6lrNA"}}

Response:

HTTP/1.1 400 Bad Request
x-amzn-RequestId: 8e6f7124-4e35-11e6-a6a6-d56ee4384e6b
Access-Control-Allow-Origin: *
x-amzn-ErrorType: NotAuthorizedException:
Access-Control-Expose-Headers: x-amzn-RequestId,x-amzn-ErrorType,x-amzn-ErrorMessage,Date
**x-amzn-ErrorMessage: Token is not from a supported provider of this identity pool.**
Content-Type: application/x-amz-json-1.1
Content-Length: 109
Date: Wed, 20 Jul 2016 04:51:01 GMT
Connection: close

This "Token is not from a supported provider of this identity pool" makes no sense. This token is what came from the user session cached during authentication. And the provided loginID is based on the format for the Cognito user pool.

Here is some of the sample javascript code:

this.loginId = 'cognito-idp.' + this.region + '.amazonaws.com/' + this.userPoolId;
  this.poolData = {
    UserPoolId : this.userPoolId,
    ClientId : this.clientId
  };
  this.userPool = new AWSCognito.CognitoIdentityServiceProvider.CognitoUserPool(this.poolData);




 cognitoUser.getSession(function(err, session) {
      if (err) {
        console.log(err);
        console.log("user session expired. needs to log in");
        this.navigateToLogin();
        return;
      }

      var token = session.getIdToken().getJwtToken();
      AWS.config.credentials.params.Logins[this.loginId] = token;

        AWS.config.credentials.refresh(function(err){
            if (err) {
                alert(err);
            }else{
              onLoggedIn();
            }
        });

      console.log('session validity: ' + session.isValid());
    }.bind(this));

What is baffling me is that it used to work! And sometimes after many days of logging in and out I am able to get it to work again. But now it has all together stopped working. I wonder if this is a bug since this service is still in beta, or if there is something I'm doing wrong.

Answer 1

That exception is thrown from Cognito Federated Identities, not User Pools, so it wouldn't be because of service instability. It means that the logins key you gave doesn't match with what is linked to the pool and was configured from the console.

I'd double check that you have it configured on the console correctly, and if so, add some logging to see what is being sent as the key in the logins set when it does not work vs when it does.