Getting Access Tokens with Cognito using Username and Password

Question

I have a Cognito user pool, an app set up and a resource server set up. We do not want to use the hosted UI to log in and I am trying from the back end to authorize with Oauth 2.0 with a user name and password and send the token back to the front end to use with api gateway calls. I am using c# and the provided SDK does not allow for the right scope, so I am trying the manual oauth2 method of logging in, but nothing I have tried is working.

Edit: I have gotten a bit further today trying to use postman, however, I am getting the error: unsupported_grant_type with the following setup:

Answer 1

As of now, this is not supported without hosted UI. Basically, you can not expect AdminInitiateAuth to include custom scopes in the access_token.

This is not a limitation in .NET SDK. This is a limitation in Cognito itself.

As per this answer, someone can argue that this the intended behaviour.

Signing in via initiate Auth or admin initiate Auth is not via the Oauth endpoints so the Oauth custom scopes will not be included in the token.

Also this issue has been mentioned in different other SDKs/Libs like: android sdk, Amplify JS as well. Several issues are mentioned in this comment.

Maybe you could try to use id_token along with Lambda Authorizers as a workaround.