4

We currently use Google as an OpenID identity provider to our web platform. We need to move away from it. I discovered Amazon Cognito (we already use EC2/S3 and the rest).

I discovered the well_known here: https://cognito-idp.us-east-1.amazonaws.com/us-east-1_UxUwcIy3y/.well-known/openid-configuration

Then I fetched the authorization_endpoint which is https://cognito-idp.us-east-1.amazonaws.com/us-east-1_UxUwcIy3y.

However, no matter what I pass to it, including response_type, scope, client_id, redirect_uri, it always gives me:

{"code":"BadRequest","message":"The server did not understand the operation that was requested.","type":"client"}

With no other information.

There doesn't seem to be any public documentation regarding this feature. Is what I'm trying to do even possible (make Cognito act like Google OpenID IDP)? Does anyone have any documentation regarding what to pass to authorization_endpoint. I understand that the Amazon Cognito Mobile SDK provides a way to embed SSO in apps, but maybe it is not possible to do this directly the way I'm doing. I already setup a user pool.

jn1kk
  • 171
  • 2
  • 10

1 Answers1

3

I've encountered the same problem. Unfortunately looks like OpenId Connect still isn't supported for Cognito User Pools and you'd need to use Identity Pools. On AWS Forum I've found following answer:

The authorization endpoint is currently just a placeholder for our future release where me might act as OpenId IDP but as of today it doesn't do anything and the error you are seeing is expected. We would consider this as a feature request for our future releases.

Oddly enough, because the Using Tokens with User Pools documentation refers to the OpenId Connect specification.

krlm
  • 131
  • 4
  • Lol, you linked to my question on the AWS forum. – jn1kk Nov 20 '17 at 16:32
  • @jn1kk - no chance to guess :) However, google directed me here first, the latter hit was AWS Forum, so I just thought that'll copy the answer here. – krlm Nov 20 '17 at 17:13