createUserPoolClient does NOT persist AllowedOAuthScopes unless followed by updateUserPoolClient

[Adrien30starly]

Describe the bug

When creating a Cognito User Pool App Client using the PHP SDK (CognitoIdentityProviderClient::createUserPoolClient), the AllowedOAuthScopes field is silently ignored.

The call does not fail.
The client is created successfully.
But the OAuth scopes are not stored in the app client.

However, if I immediately call:
updateUserPoolClient([... 'AllowedOAuthScopes' => [...] ])

—then the scopes do get persisted correctly.

The behavior is consistent and reproducible.

This suggests either:

• A bug in the AWS SDK for PHP,
• Or a mismatch between SDK expectations and Cognito’s backend API behavior.

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

When calling:
$client->createUserPoolClient([ 'UserPoolId' => 'us-east-1_XXXX', 'ClientName' => 'TestClient', 'AllowedOAuthFlowsUserPoolClient' => true, 'AllowedOAuthFlows' => ['client_credentials'], 'AllowedOAuthScopes' => ['my-api/write'], ])

The created app client should contain:
"AllowedOAuthScopes": ["my-api/write"]

Current Behavior

The app client is created, but:

AllowedOAuthScopes is missing.

No exception is thrown.

describeUserPoolClient confirms the scopes were never stored.

Only after explicitly calling:
updateUserPoolClient(['AllowedOAuthScopes' => ['my-api/write']])
does Cognito persist the scope.

This means the only reliable way to set scopes is:
createUserPoolClient → updateUserPoolClient
Which should not be necessary.

Reproduction Steps

`$client = new CognitoIdentityProviderClient([
'region' => 'eu-west-3',
'version' => 'latest',
'credentials' => [
'key' => 'XXX',
'secret' => 'XXX',
],
]);

$result = $client->createUserPoolClient([
'UserPoolId' => $userPoolId,
'ClientName' => 'ExampleClient',
'GenerateSecret' => true,
'AllowedOAuthFlowsUserPoolClient' => true,
'AllowedOAuthFlows' => ['client_credentials'],
'AllowedOAuthScopes' => ['civ-regulation-api/write'],
]);

$desc = $client->describeUserPoolClient([
'UserPoolId' => $userPoolId,
'ClientId' => $result['UserPoolClient']['ClientId'],
]);

var_dump($desc['UserPoolClient']['AllowedOAuthScopes']);
`

Possible Solution

No response

Additional Information/Context

No response

SDK version used

3 (latest)

Environment details (Version of PHP (php -v)? OS name and version, etc.)

php 8.4 on macbook M1 with macOS version 15.6.1

[stobrien89]

Hi @Adrien30starly,

Sorry to hear about the issues. Did you notice your requests suddenly stopped working? Or has this behavior been present since you've been making these calls?

I checked the service model and everything appears to be correct. It's possible there's been a change on the server side— I'll see what I can find out.

[Adrien30starly]

Hi @stobrien89,

Sorry for the late reply. It was working initially actually. As you said it stopped working suddenly. I am doing further testing since we noticed that it suddenly started working again without calling updateUserPoolClient(['AllowedOAuthScopes' => ['my-api/write']]) just after. I will revert back after finding some more clues.

[stobrien89]

Thanks for the additional info. Because the issue appears to be transient, it's safe to say the SDK isn't causing it. It's most likely a network, routing, etc. issue with the Cognito IDP service. If you see this happen again, take note of the request id (located in $result['@metadata']['headers']) and let us know- we can provide that info to the service team for them to investigate. Closing for now, but will re-open if this starts happening again

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.