Cognito "InvalidParameterException" on InitiateAuth in CI
Cognito raised InvalidParameterException because the auth request is missing or has wrong parameters for the app client, such as a required SECRET_HASH or an auth flow the client does not allow.
What this error means
InitiateAuth throws "InvalidParameterException" with a message like "Missing required parameter SECRET_HASH" or "USER_PASSWORD_AUTH flow not enabled for this client".
Cognito
InvalidParameterException: Missing required parameter SECRET_HASHCommon causes
App client has a secret but SECRET_HASH is not sent
When the app client is configured with a client secret, each auth call must include a computed SECRET_HASH.
The requested auth flow is not enabled
USER_PASSWORD_AUTH or another flow must be explicitly enabled on the app client, or the request is invalid.
How to fix it
Send SECRET_HASH or use a client without a secret
- For a secretful client, compute SECRET_HASH from username, client id, and secret.
- Include it in the AuthParameters.
- Or use an app client with no secret for the test flow.
Terminal
SECRET_HASH=$(printf "%s%s" "$USER" "$CLIENT_ID" \
| openssl dgst -sha256 -hmac "$CLIENT_SECRET" -binary | base64)Enable the auth flow on the app client
Enable USER_PASSWORD_AUTH (or the flow the test uses) in the Cognito app client settings.
How to prevent it
- Match the auth flow the client enables to what tests call.
- Compute SECRET_HASH when the app client has a secret.
- Prefer a secretless test client to simplify CI auth.
Related guides
Cognito "NotAuthorizedException: Incorrect username or password" in CIFix Cognito "NotAuthorizedException: Incorrect username or password" in CI - the InitiateAuth call used wrong…
OAuth2 "unsupported_grant_type" at the token endpoint in CIFix OAuth2 "error":"unsupported_grant_type" in CI - the grant_type value in the token request is not one the…
Firebase Auth "auth/invalid-api-key" in CIFix Firebase Auth "auth/invalid-api-key" in CI - the Firebase config apiKey passed to initializeApp was missi…