We are using Cognito as an IdP. Therefore, users are managed in user pools. For login, we are not using the Hosted UI but instead have build our own custom UI because of customisation requirements. For doing the actual login, we are using the Cognito IdP Actions like AdminInitiateAuth, etc.
We need to integrate this setup with Keycloak. Keycloak is initiating an OAuth2 Flow in which we are showing our login form, perform the login and provide the tokens.
The problem is that Keycloak is sending an "nonce" token when calling the AUTHORIZATION endpoint and expects this "nonce" token to be present in the "id_token" which it receives after successful authentication. With the Cognito Hosted UI this works like expected. However, when using the Cognito IdP API we have not found any way to provide this information as a parameter to have the "nonce" token included in the "id_token".
Are we missing something? What's the right way to do this? Any help is highly appreciated.
Thanks in advance