Federated Authentication flow - AWS Cognito as IDP - Microsoft Entra MultiTenant app
Federated authentication flow fails to conclude with the following error message:
error_description=Bad+id_token+issuer+https://login.microsoftonline.com/{{tenant_uuid}}/v2.0&error=invalid_request
Landscape:
- Globally unique ASP.NET web application responsibe to conclude with the initial authentication (.NET 8.0 ASP.NET hosting an Angular client app + providing backend API for auth flows)
- AWS Cognito as Identity provider
- Azure Enterprise application (Multitenant) which is used for the authentication process
1. The user clicks the "Sign in with Microsoft" button --> gets redirected to Cognito (https://{{myDomain}}.auth.{{aws-region}}.amazoncognito.com/oauth2/authorize) passing a clientId --> clientId resolved in Cognito, matched with a registered App within --> User gets redirected to the login URL defined for the app --> user concluded with the authentication --> user gets redirected to cognito --> user gets redirected to the redirect URI
The user gets redirected properly to the Microsoft Entra login page:
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id={{client_uuid}}&redirect_uri=https://{{myDomain}}.auth.{{aws-region}}.amazoncognito.com/oauth2/idpresponse&scope=openid&response_type=code&state={{state_part_1}}.{{state_part2}}.{{state_part3}}
Authentication completed and user gets redirected to the registered return URI.
I have played a bit around and if I change the Issuer in Cognito to be specific for my tenant: https://login.microsoftonline.com/{{entra_tenant_uuid}}/v2.0 - I can authenticate successfully.
Though, in case of external tenants, this will result in an error because the issuer is invalid.
Changing the issuer to https://login.microsoftonline.com/common/v2.0 -as documented-, not even I can conclude with the authentication and flow ends up in the above error.
I would appreciate any help, suggestion where to look for errors.
Thanks in advance!3 Replies
I ain't having a PLUS subscription in AWS Cognito, thus I can't see logs there.
I failed to find relevant logs in Azure logs. 😦
just for references:
AWS documentation how to establish 3rd party OIDC auth flow https://docs.aws.amazon.com/cognito/latest/developerguide/open-id.html
and here
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-oidc-flow.html
Stack Overflow
Microsoft oidc in AWS Cognito allowing multiple tenants
I'm trying to implement social login using Microsoft account in AWS Cognito User Pools.
I followed documentation and the solution mentioned in this thread:
https://forums.aws.amazon.com/thread.jspa?
welcome to cognito, it's special