From acc50b924482faf26e30dfc708fe45c1e6d3e72e Mon Sep 17 00:00:00 2001 From: nomadicrogue Date: Thu, 5 Mar 2026 18:06:48 -0500 Subject: [PATCH] fix: request aws.cognito.signin.user.admin scope in OAuth flow The Cognito GetUser API (used by GET /me to resolve email from the caller's access token) requires this scope. Without it the access token lacks the required claim and Cognito rejects with NotAuthorizedException: "Access Token does not have required scopes". Three places updated: - Swagger UI initOAuth scopes - OpenAPI securitySchemes scopes definition - Per-endpoint OAuth2 security requirements Made-with: Cursor --- src/main.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/main.py b/src/main.py index 86e2e047..12b61051 100644 --- a/src/main.py +++ b/src/main.py @@ -1106,7 +1106,7 @@ def custom_swagger_ui_html(): realm: 'oauth2', appName: 'Morpheus API Gateway', scopeSeparator: ' ', - scopes: 'openid email profile', + scopes: 'aws.cognito.signin.user.admin openid email profile', usePkceWithAuthorizationCodeGrant: false, useBasicAuthenticationWithAccessCodeGrant: false, additionalQueryStringParams: {{ @@ -1517,6 +1517,7 @@ def custom_openapi(): "authorizationUrl": f"https://{settings.COGNITO_DOMAIN}/oauth2/authorize", "tokenUrl": f"https://{settings.COGNITO_DOMAIN}/oauth2/token", "scopes": { + "aws.cognito.signin.user.admin": "Read own user attributes (GetUser)", "openid": "OpenID Connect authentication", "email": "Access to email address", "profile": "Access to profile information" @@ -1562,7 +1563,7 @@ def custom_openapi(): # Auth and Automation endpoints: OAuth2/BearerAuth only (JWT tokens from Cognito) elif path_key.startswith("/api/v1/auth/") or path_key.startswith("/api/v1/automation/") or path_key.startswith("/api/v1/billing/"): operation["security"] = [ - {"OAuth2": ["openid", "email", "profile"]}, + {"OAuth2": ["aws.cognito.signin.user.admin", "openid", "email", "profile"]}, {"BearerAuth": []} ] # Default: All other endpoints use APIKeyAuth only