I am running a working AWS Cognito service on a frontend application which can successfully do the basic stuff - login, logout, signup, etc..

Right now I am trying to get user attributes through the backend API, such that:

1) The user login in the application and gets a JWT.

2) The JWT is being sent to the backend server.

3) The server has to extract the email of the user by using the access token

The closest thing that I found to what I need is this Cognito service.

So I am making a GET request to "https://mydomain.auth.eu-central-1.amazoncognito.com/oauth2/userInfo" With Authorization Header as they are asking for, but I keep getting this response:

{ "error": "invalid_token", "error_description": "Access token does not contain openid scope" }

I have tried searching for this error but couldn't find any explanation about the error.

Thanks by advance

I had this exact problem and it was my fault. I was sending the id_token instead of access_token property of the token.
I program in PHP, so I was sending as header "Authorization: Bearer ".$token->id_token instead of "Authorization: Bearer ".$token->access_token. Now it works.

Hope it helps you or someone.

Erez, are you using a custom UI? Because the custom UI uses flows that are completely separated from the OAuth2 ones (USER_SRP_AUTH, USER_PASSWORD_AUTH). Tokens that are released with these flows are not OpenID Connect compliant (basically they don't contain the openid scope) so you cannot use them to gather user infos (since the userinfo endpoint is OpenID Connect compliant and needs to be invoked with jwts compliant with OIDC standard). We're also struggling on that, i'm sorry.

If I understand correctly, you are successfully getting the #id_token sent to your front end from Cognito (steps 1-3). You can enable scopes on the #id_token by selecting the following options in your Cognito Pool App Client Settings: