Introduction

This Cognito error means the app client you are using has not been configured to allow the OAuth flow your request is trying to use. In Cognito, creating an app client is not enough by itself. The client must also have Hosted UI and OAuth-related settings enabled, including at least one allowed flow, matching callback URLs, and appropriate scopes.

Why the Error Appears

Amazon Cognito separates app-client creation from app-client OAuth configuration. A client can exist and still be unusable for OAuth authorization-code or implicit flows if those settings were never enabled.

Typical triggers include:

• requesting /oauth2/authorize with a client that has no OAuth flows enabled
• using the wrong app client ID
• enabling an OAuth flow but forgetting callback URLs or scopes
• mixing up a client intended for API auth with one intended for Hosted UI login

So the message is not saying Cognito is broken. It is saying the selected client configuration does not permit the flow you asked for.

Enable the Correct OAuth Flows in the App Client

In the Cognito user pool configuration, inspect the app client and ensure the required OAuth flow is enabled. The exact UI labels vary over time, but the core settings are the same:

• authorization code grant
• implicit grant if you truly need it
• client credentials if the use case is machine-to-machine and the client supports it

You also need allowed callback URLs and allowed sign-out URLs for browser-based flows.

The callback URL used in your application must match what Cognito has configured. A mismatch can produce a different error later, but it is often part of the same misconfiguration cluster.

Match the Flow to the Kind of Application

The flow should match the client type:

• browser or server-rendered app: usually authorization code grant
• public SPA: often authorization code with PKCE in modern designs
• machine-to-machine service: client credentials if supported for that design

If your application tries to use a browser-oriented Hosted UI flow with an app client configured only for direct API authentication, you will hit this error.

Example Authorization Request

A typical authorization-code request looks like this:

https://your-domain.auth.us-east-1.amazoncognito.com/oauth2/authorize?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=https://app.example.com/callback&scope=openid+email

For that request to work, the app client must allow the authorization code flow and the redirect URI must be explicitly allowed.

Verify the Client ID You Are Actually Using

In projects with several environments or several app clients, the wrong client ID is a common cause. For example, a mobile client, a web client, and a machine client may all exist in the same user pool.

If your code is pointed at the wrong client ID, the OAuth request can fail even though another client in the same pool is configured correctly.

That is why the debugging sequence should always include checking:

• the exact client ID in the request
• the exact user pool and domain being used
• the app-client OAuth settings for that specific ID

Scopes and Domain Configuration Also Matter

Even after enabling the flow, Cognito still expects the Hosted UI domain and allowed scopes to be set appropriately. If you request scopes such as openid, email, or profile-related scopes, the client must allow them.

This means a usable OAuth client generally needs all of the following to line up:

• an enabled OAuth flow
• an active Cognito domain
• allowed callback URLs
• allowed scopes
• the correct client ID in the application

Use Infrastructure as Code Carefully

If the user pool and client are managed through CloudFormation, Terraform, or another IaC tool, make sure the OAuth settings are actually represented there. A console-created fix can disappear later if the infrastructure code does not include the matching client settings.

This is a common reason the error seems to “come back” after deployments.

Common Pitfalls

The most common mistake is assuming that an app client automatically supports OAuth just because it exists in the user pool. It does not.

Another mistake is enabling the right flow on one client but using a different client ID in the application.

Teams also forget that callback URLs, scopes, and domain setup are part of the same OAuth contract. Enabling the flow alone is not enough.

Summary

• This error means the selected Cognito app client is not configured for the OAuth flow you requested.
• Enable the correct OAuth flow on that exact app client and configure callback URLs and scopes.
• Verify that the client ID in the request matches the intended client.
• Match the OAuth flow to the real application type, such as web, SPA, or machine-to-machine.
• If you use infrastructure as code, keep the OAuth client settings there so fixes persist across deployments.