How to resolve AWS Cognito SDK error: "Client <XYZ> is configured for secret but secret was not received?"

Question

I'm asking this question because I was surprised how little information I could find from Googling. However, I was able to track down what I think is the root cause. I'll share it as an answer and see if someone is able to elaborate or provide a better explanation.

So, to clarify, I'm using the AWS JavaScript SDK for Cognito. When I tried some of the standard use cases, I received the following error:

Client is configured for secret but secret was not received

What steps can I take to resolve this?

Answer 1

While creating the user pool make sure to keep the don't generate a client secret marked true.

Check the option here

Answer 2

Mackie Messer is correct in pointing out that Cognito's Javascript SDK doesn't support apps with a client secret. I ran into the same issue but for those interested here is the reason why...

In the context of AWS Cognito, the "client secret" is typically used for server-side authentication to prove the identity of the client making requests. It's considered a sensitive piece of information and is intended to be kept confidential.

When it comes to client-side applications, especially those running in a web browser with JavaScript, it's generally not recommended to use a client secret directly within the application. JavaScript code is inherently visible to users, and embedding a client secret in client-side code could expose it to anyone who happens to be looking.

Cognito's JavaScript SDK allows authentication to be handled on the client side without the need for a client secret. Instead, authentication is typically based on tokens, such as ID tokens and access tokens, which are securely obtained during the authentication process.

Answer 3

If you are not using an SDK to communicate with Cognito, you can include "SECRET_HASH" in "AUTH_PARAMETERS". To compute the "SECRET_HASH", please refer to AWS Docs:

https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash

Here is an example of how to log in users using Python using a client that has both a client ID and client secret:

import json
import requests
import hmac
import hashlib
import base64

client_id = ""
client_secret = ""
cognito_url = ""
username = ""
password = ""

secret_hash = base64.b64encode(hmac.new(bytes(client_secret, 'utf-8'), bytes(
    username + client_id, 'utf-8'), digestmod=hashlib.sha256).digest()).decode()

reqData = {
    "AuthParameters": {
        "USERNAME": username,
        "PASSWORD": password,
        "SECRET_HASH": secret_hash
    },
    "AuthFlow": "USER_PASSWORD_AUTH",
    "ClientId": client_id
}

headers = {
    "X-Amz-Target": 'AWSCognitoIdentityProviderService.InitiateAuth',
    "Content-Type": 'application/x-amz-json-1.1'
}

jsonResponse = requests.post(
    url=cognito_url, data=json.dumps(reqData), headers=headers).json()
    
print(jsonResponse)

Answer 4

I heard the same issue and I have to delete App Clients. Create a new App Clients and uncheck Generate client secret. Everything worked as expected in my code.

Answer 5

Even i got the same error , I unchecked the "app client secret" check box during new app client creation in cognito . This solved my problem. Thanks.

Answer 6

Looking at the NPM package for Amazon Cognito, I notice that:

When creating the App, the generate client secret box must be unchecked because the JavaScript SDK doesn't support apps that have a client secret.

Checking my app, I found that it had a client secret. I'll try remaking the app without the secret and see if that resolves the issue.