I need to setup AWS Cognito to provide OAuth 2.0 authentication and authorization services for our API. We do not have a UI - it is a machine-to-machine app. I created a User Pool and Authorizer in AWS Cognito. Authentication Flow is set to ALLOW_REFRESH_TOKEN_AUTH. The Identity Provider is Cognito user pool. With OAuth 2.0 grant types set to Client Credentials, this cURL works fine and returns an access_token:
curl \
-u "CLIENT_ID:CLIENT_SECRET" \
-d "grant_type=client_credentials" \
-X POST https://our-user-pool.auth.us-east-1.amazoncognito.com/oauth2/token
But we'd like to use refresh tokens as part of the authorization process, so when I change OAuth 2.0 grant types to Authorization Code Grant,
curl \
-u "CLIENT_ID:CLIENT_SECRET" \
-d "grant_type=authorization_code" \
-X POST https://our-user-pool.auth.us-east-1.amazoncognito.com/oauth2/token
returns an Invalid request error. Are there are other settings I'm missing, or maybe other parameters I need to add to the request? Or maybe there's a different endpoint I need to hit for this? I can't find anything in the Cognito docs on how to obtain a refresh token for the first time without a UI.