Reputation: 93
AWS Cognito on custom domain not implementing correctly /.well-known/openid-configuration?
I'm not an expert but seems like one of the OpenID requirements is to have a /.well-known/openid-configuration endpoint.
Seems like Cognito is implementing this well as long as you don't use custom domain, e.g. point your browser to the URL below and you get a properly defined openid config JSON.
https://cognito-idp.{your region}.amazonaws.com/{your pool ID}/.well-known/openid-configuration
Now, if you use a custom domain try pointing your browser to the URL below, and you will see there is nothing but an error message:
https://{your poolname}.auth.us-east-2.amazoncognito.com/.well-known/openid-configuration
This is an issue because other apps/framework/library that rely on OpenID standards fail when trying to connect to a Cognito user pool.
Am I missing something?
Upvotes: 1
Views: 936
Answers (1)
Reputation: 3885
Adding a custom domain doesn't change the issuer (iss claim in your tokens) and therefore the discovery URI is unchanged.
Your configured domain will be properly reflected in the configuration document (/.well-known/openid-configuration) and clients supporting discovery will be configured with your custom endpoints (authorization, userinfo and token).
Upvotes: 4
Related Questions
- CognitoIdentityCredentials not providing access
- "Access token does not contain openid scope" in AWS Cognito
- Amazon Cognito Domain and CORS
- aws cognito user pool domain - Invalid_Request
- AWS cognito: "Access token does not contain openid scope"
- cognito OAuth2 flow
- AWS Cognito sign in with alias
- Receiving "Missing credentials in config" when using AWS.CognitoIdentityCredentials
- AWS Cognito does not authenticate using Federated Identity
- Amazon Cognito, custom OpenID provider, "Invalid login token" error