C#•10mo ago

Federated Authentication flow - AWS Cognito as IDP - Microsoft Entra MultiTenant app

Federated authentication flow fails to conclude with the following error message:

error_description=Bad+id_token+issuer+https://login.microsoftonline.com/{{tenant_uuid}}/v2.0&error=invalid_request

error_description=Bad+id_token+issuer+https://login.microsoftonline.com/{{tenant_uuid}}/v2.0&error=invalid_request

Landscape:

Globally unique ASP.NET web application responsibe to conclude with the initial authentication (.NET 8.0 ASP.NET hosting an Angular client app + providing backend API for auth flows)
AWS Cognito as Identity provider
Azure Enterprise application (Multitenant) which is used for the authentication process
The user clicks the "Sign in with Microsoft" button --> gets redirected to Cognito (https://{{myDomain}}.auth.{{aws-region}}.amazoncognito.com/oauth2/authorize) passing a clientId --> clientId resolved in Cognito, matched with a registered App within --> User gets redirected to the login URL defined for the app --> user concluded with the authentication --> user gets redirected to cognito --> user gets redirected to the redirect URI

The user gets redirected properly to the Microsoft Entra login page:

https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id={{client_uuid}}&redirect_uri=https://{{myDomain}}.auth.{{aws-region}}.amazoncognito.com/oauth2/idpresponse&scope=openid&response_type=code&state={{state_part_1}}.{{state_part2}}.{{state_part3}}

https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id={{client_uuid}}&redirect_uri=https://{{myDomain}}.auth.{{aws-region}}.amazoncognito.com/oauth2/idpresponse&scope=openid&response_type=code&state={{state_part_1}}.{{state_part2}}.{{state_part3}}

Authentication completed and user gets redirected to the registered return URI.

I have played a bit around and if I change the Issuer in Cognito to be specific for my tenant: https://login.microsoftonline.com/{{entra_tenant_uuid}}/v2.0

I can authenticate successfully.
Though, in case of external tenants, this will result in an error because the issuer is invalid.

hanging the issuer to https://login.microsoftonline.com/common/v2.0 -as documented-, not even I can conclude with the authentication and flow ends up in the above error.

I would appreciate any help, suggestion where to look for errors.
Thanks in advance!

NeophyteOP•3/5/25, 10:12 AM

I ain't having a PLUS subscription in AWS Cognito, thus I can't see logs there.
I failed to find relevant logs in Azure logs.

NeophyteOP•3/5/25, 10:14 AM

just for references:
AWS documentation how to establish 3rd party OIDC auth flow https://docs.aws.amazon.com/cognito/latest/developerguide/open-id.html
and here
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-oidc-flow.html

Sehra•3/6/25, 11:44 AM

https://stackoverflow.com/questions/64331213/microsoft-oidc-in-aws-cognito-allowing-multiple-tenants/69237896#69237896

Stack Overflow

Microsoft oidc in AWS Cognito allowing multiple tenants

I'm trying to implement social login using Microsoft account in AWS Cognito User Pools.
I followed documentation and the solution mentioned in this thread:
https://forums.aws.amazon.com/thread.jspa?

Sehra•3/6/25, 11:45 AM

welcome to cognito, it's special

NeophyteOP•3/13/25, 10:59 AM

thx, yeah I have posted it to AWS discord as well.

NeophyteOP•3/13/25, 10:59 AM

just for the record, I have contacted AWS support and got confirmation that out-of-the-box multitenancy is not supported

NeophyteOP•3/13/25, 10:59 AM

the solution I have chosen is

use MSAL to initiate the PKCE auth flow on the client side - https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-angular
I have used the redirect approach (it is a bit poorly documented on the webpage, but chatGPT could fill the gap). Popup flow was very much straight forward, but redirect was a bit off for my usecase.
I pass access token and idToken to the backend API.
Backend validates the accessToken with Microsoft
validate the aud of the idToken (to ensure that it match the clientId of my App registration in Entra)
if all valid, take the claims from the token (uid, iss, tid, etc.) and look it up from the internal identity storage and create/update with new info
Check status of user in Cognito and create/update with the new login data.
proceed with post-auth processing on the backend/client side.

GitHub

microsoft-authentication-library-for-js/lib/msal-angular at dev · A...

Microsoft Authentication Library (MSAL) for JS. Contribute to AzureAD/microsoft-authentication-library-for-js development by creating an account on GitHub.