Terraform-provider-aws: Error updating Cognito User Pool Client: InvalidOAuthFlowException: openid is not supported with client_credentials flow
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform Version
v0.11.7
Affected Resource(s)
- aws_cognito_user_pool_client
Terraform Configuration Files
resource "aws_cognito_user_pool_client" "system_user_pool_client" {
name = "${var.env}-system-${local.system_name}-user-pool-client"
user_pool_id = "${aws_cognito_user_pool.system_user_pool.id}"
explicit_auth_flows = "${var.explicit_auth_flows}"
allowed_oauth_scopes = "${var.allowed_oauth_scopes}"
allowed_oauth_flows = "${var.allowed_oauth_flows}"
callback_urls = [
"${local.enterprise_client_url}/${var.sign_in_success_path}",
"${local.abd_enterprise_client_url}/${var.sign_in_success_path}",
]
logout_urls = [
"${local.enterprise_client_url}/${var.sign_out_path}",
"${local.abd_enterprise_client_url}/${var.sign_out_path}",
]
}
Expected Behavior
The apply should succeed. IfAllowedOAuthFlows does NOT include client_credentials - then AllowedOAuthScopes is permitted to include openid.
Actual Behavior
Even without client_credentials included in AllowedOAuthFlows, an update to AllowedOAuthScopes will throw the following: Error updating Cognito User Pool Client: InvalidOAuthFlowException: openid is not supported with client_credentials flow
Steps to Reproduce
- Create a terraform user pool client - specifying only the attributes listed above. Ensure
open_idis provided inAllowedOAuthScopes. Ensureclient_credentialsis NOT inAllowedOAuthScopes. - Propose some other update to the client settings, for example add another sign in url
terraform apply
evan-10e
All 5 comments
I'm getting similar error for updating user pool client (resource aws_cognito_user_pool_client) InvalidParameterException: AllowedOAuthFlows and AllowedOAuthScopes are required if user pool client is allowed to use OAuth flows.
status code: 400, request id: bfeb42f0-8401-11e8-a33d-4388ccbed918
sciencey-sanjay
on 10 Jul 2018
Any solution to this found yet?
thomaswmanion
on 24 Jul 2018
A temporary workaround for me is to taint the user pool. This forces it to be recreated instead of just changed which doesn't trigger this bug:
$ terraform taint aws_cognito_user_pool_client.my_client
mastertinner
on 26 Jul 2018
Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.
If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!
![github-actions[bot] picture](https://avatars2.githubusercontent.com/in/15368?v=4&s=40)
github-actions[bot]
on 15 Jul 2020
I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.
If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 14 Sep 2020
Related issues
oarmstrong
·
44Comments
jch254
·
37Comments
jayanderson
·
44Comments
hashibot
·
45Comments
cjeanneret
·
39Comments
Most helpful comment
I'm getting similar error for updating user pool client (resource aws_cognito_user_pool_client) InvalidParameterException: AllowedOAuthFlows and AllowedOAuthScopes are required if user pool client is allowed to use OAuth flows.
status code: 400, request id: bfeb42f0-8401-11e8-a33d-4388ccbed918