Hey @user319 - thanks for the detailed write-up here, and sorry you’re running into this.
I took a look at our internal logs using the request ID you shared, and I believe I was able to pinpoint the issue. Shopify’s POST to your token endpoint (https://followed-austin-queen-attending.trycloudflare.com/token) is timing out and your endpoint isn’t responding within the window (1 second).
This is likely due to the Cloudflare quick tunnel setup. The round trip through trycloudflare.com may be adding just enough latency that the response doesn’t make it back in time, even though your endpoint is likely responding successfully on its end (which would explain why everything looks fine in your own logs and manual testing works).
Your id_token claims and configuration all look correct from what I can see, so the good news is that once the timeout issue is resolved things should work. I’d recommend deploying your Lambda + API Gateway to a proper hosted environment with a stable domain rather than tunneling through trycloudflare.com that should bring the response time well under the 1-second limit.
I’m also going to flag this just to confirm the timeout timeline on our end. I’ll pass along the feedback about more verbose error messaging as well, since a timeout should ideal surface differently than a generic “Access token request error.”
Let me know how it goes once you’ve switched to a hosted setup, or if you run into anything else — happy to help further!
Hi @Alan_G ! I’ve spent almost an entire day trying to get Cognito working as an IDP in Shopify. In theory, everything should be configured properly, and I’ve verified that Cognito itself can successfully exchange the authorization code for tokens (including id_token and access_token) when tested directly.
I’ve tried everything I could think of, including making sure that email_verified is properly set to true after reading this thread.
Yet, I still constantly get the enigmatic “Access token request error”. I’m completely out of ideas. Would you be able to help investigate this?
I took a look at our logs on my end and was able to pinpoint the issue. Shopify’s POST to your token endpoint is timing out too, it looks like your provider isn’t responding within the required window, which causes the generic “Access token request error” you’re seeing. This is actually the same root cause as what @user319 ran into earlier in this thread.
One thing I noticed in the logs is that the request is actually going through Azure AD B2C (b2clogin.com) rather than Cognito — just wanted to flag that in case it helps with debugging on your end. Token endpoints can sometimes have variable latency, especially if you’re running on a test/dev server, so that could be what’s pushing the response time over the limit.
I’d recommend checking the response time of your token endpoint directly (a quick curl -w "%{time_total}" -X POST against it should give you a sense of the latency if you’re familiar with that method) and seeing if there’s anything on the Azure side that could be optimized. Your OIDC configuration itself looks fine from what I can tell, so once the timeout is resolved things should work.
I’ve also passed along some feedback from this thread about making the error messaging more specific and seeing if we can document expected timeout time limits, since a timeout really shouldn’t surface as a generic “Access token request error.”
Thanks again for digging into the logs and identifying that the failure is due to a timeout on the token endpoint call. That was extremely helpful.
I wanted to share a bit more context from our side and confirm a few details.
Due to company policies and limitations on the B2C setup, we are using AWS Cognito as a front for it (so seeing B2C in the flow is normal). We do it for multiple applications (Wordpress, custom SPA apps, etc.)
The authentication flow looks like this:
Shopify redirects to Cognito (/oauth2/authorize).
Cognito federates to Azure AD B2C (b2clogin.com) for authentication.
Azure redirects back to Cognito (/oauth2/idpresponse).
Cognito redirects back to Shopify with the authorization code.
Shopify performs a POST to Cognito’s /oauth2/token endpoint to exchange the code.
From our manual local testing, the token exchange against Cognito succeeds consistently. When we measure it using curl with valid authorization codes, we’re seeing total response times typically around 2.4 to 3.3 seconds (TTFB ~2.5s in several runs). Note that those numbers were from running curl on my local machine (I’m based in SEA), and they should be a bit lower when performed from Shopify’s servers to AWS Cognito’s & Azure’s servers.
What is the actual fixed timeout window (1s, 2s, less)? And is it based on total response time or time to first byte?
Understanding the exact timeout constraint will help us determine whether we need to optimize the Cognito/Azure chain further or consider a different architecture. Given our current use case, Shopify’s native SSO feature might simply be unusable.
Thanks for your help on this, I really appreciate it.
Just following up on my previous question regarding the token endpoint timeout. Do you happen to have more details on the exact timeout window Shopify enforces (and whether it’s based on total response time or TTFB)?
That information would really help us determine the next steps on our side.
- thanks for the detailed write-up here, and sorry you’re running into this.