Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Cognito User Pool External Identity Provider (Auth0) Returns Error at /oauth2/idpresponse

0

I have a Cognito User Pool configured with an external IdP (Auth0). I'm using this arrangement to log in to my NextJS + NextAuth web app.

I'm seeing the following behavior when logging in:

  • My web app detects that no user is logged in and redirects to the NextAuth login screen, which presents a single option to log in with Cognito, which is configured as a NextAuth provider.
  • I've configured Cognito with the identity_provider hint so that it redirects to my Auth0 identity provider. This all works fine.
  • The user logs in with Auth0. This all works fine.
  • Auth0 redirects back to Cognito's /oauth2/idpresponse endpoint with code and state parameters set. This redirect is working.
  • When Cognito's /oauth/idpresponse endpoint processes the request, it redirects to /error, also passing the code and state parameters. There is no additional information in the redirect URL.
  • When Cognito processes the /error request, it returns HTTP 400.

Without additional information from logs or in responses, I can't see what's going on here. Any help would be appreciated.

Topics
Security, Identity, & Compliance
Tags
Amazon Cognito
Language
English
asked 7 months ago205 views
2 Answers
0

The issue you're experiencing with Cognito User Pool and your external Identity Provider (Auth0) seems to be related to how Cognito is handling the response from Auth0. There are a few potential reasons for this error:

  1. Configuration mismatch: There might be a discrepancy between the configuration in your Cognito User Pool and the settings in Auth0. This could include mismatched client IDs, redirect URIs, or other OAuth parameters.

  2. Missing or incorrect parameters: The /oauth/idpresponse endpoint might be expecting certain parameters that are not being passed correctly from Auth0. This could include the client_id, which is sometimes dropped during the redirection process.

  3. Token or claim issues: Cognito might be having trouble validating the token or claims received from Auth0. This could be due to incorrect signature validation, mismatched issuers, or other OIDC/OAuth specification violations.

  4. Metadata issues: If Cognito is unable to access or process the metadata from Auth0, it could lead to this kind of error.

To troubleshoot this issue:

  1. Double-check all configuration settings in both Cognito and Auth0 to ensure they match exactly.

  2. Verify that all required OAuth parameters are being passed correctly through the entire flow.

  3. Check the Auth0 logs for any errors or warnings during the authentication process.

  4. Ensure that the Auth0 metadata URL is publicly accessible and contains all required information.

  5. If possible, try using a different external IdP temporarily to see if the issue is specific to Auth0 or if it's a general Cognito configuration problem.

  6. Consider capturing and analyzing the network traffic during the authentication flow to see exactly what's being passed between the different systems.

If the issue persists after these checks, you may need to open a support case with AWS to get more detailed error information and assistance. They can provide access to logs that aren't publicly visible and can help diagnose issues specific to your Cognito configuration.
Sources
Cognito User Pool SAML Federation throwing Unable to contact the configured provider | AWS re:Post
Managed login and federation error responses - Amazon Cognito
ERROR: Bad id_token issuer https://www.linkedin.com/oauth&error=invalid_request when using cognito and using LinkedIn as OIDC provider | AWS re:Post

answered 7 months ago
0

The issue occurred because though I configured Auth0 as an external IdP, I did not add this idP as an identity provider to the Cognito User Pool client.

To do this, I followed these steps:

  1. From the User Pool page, click on "App clients" in the left-hand menu under "Applications"
  2. Select your app client from the list that you'd like to use with the IdP
  3. Midway down the page, click on the "Login Pages" tab
  4. Click the "Edit" button to modify the Login Pages config
  5. Under "Identify Providers", add your new IdP in addition to the "Cognito user pool" identity provider

It works now.

answered 7 months ago
AWS
EXPERT
reviewed 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content