Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Integrating Microsoft(both personal and work Azure AD) OIDC to AWS Cognito

I was trying to integrate MSF OIDC to AWS cognito userpool. Created new app registration in Azure AD with "signInAudience": "AzureADandPersonalMicrosoftAccount" and set "issuer": "https://login.microsoftonline.com/common/v2.0" in cognito federation and other settings. When I try to login with work or personal MSF account it's throwing "invalid_request" error with description "Bad id_token issuer". If, I replace the tenant_id "common" in issuer with specific tenant_id(9188040d-6c67-4c5b-b112-36a304b66dad for example-personal MSF) then the flow is working as expected by sending the authorization code back. Any help would be appreciated!

like image 749
Durga prasad Avatar asked May 07 '21 06:05

Durga prasad


People also ask

Can you use Azure AD with AWS?

When you integrate AWS Single-Account Access with Azure AD, you can: Control in Azure AD who has access to AWS Single-Account Access. Enable your users to be automatically signed-in to AWS Single-Account Access with their Azure AD accounts. Manage your accounts in one central location - the Azure portal.

Does Azure Active Directory support OIDC?

OpenID Connect is an authentication protocol built on top of OAuth 2.0 that can be used for secure user sign-in. Most identity providers that use this protocol are supported in Azure AD B2C.

How do I integrate Amazon Cognito with Azure Active Directory?

In this step, you add an Amazon Cognito user pool as an application in Azure AD, to establish a trust relationship between them. Log in to the Azure Portal. In the Azure Services section, choose Azure Active Directory. In the left sidebar, choose Enterprise applications. Choose New application.

How to add an OIDC IDP (Amazon Cognito console)?

To add an OIDC IdP (Amazon Cognito console) Go to the Amazon Cognito console. You might be prompted for your AWS credentials. Choose Manage your User Pools. Choose an existing user pool from the list, or create a user pool. On the left navigation bar, choose Identity providers. Choose OpenId Connect. Type a unique name into Provider name.

How do I connect to OpenID using Amazon Cognito?

Go to the Amazon Cognito console. You might be prompted for your AWS credentials. Choose Manage your User Pools. Choose an existing user pool from the list, or create a user pool. On the left navigation bar, choose Identity providers. Choose OpenId Connect. Type a unique name into Provider name.

How do I integrate Cognito with AWS amplify?

AWS Amplify provides SDKs to integrate your web or mobile app with a growing list of AWS services, including integration with Amazon Cognito user pool. The federatedSign () method will render the hosted UI that gives users the option to sign in with the identity providers that you enabled on the app client (in Step 4), as shown in Figure 8.


1 Answers

Typically issuer validation is disabled or implemented differently in case of common endpoint. If you see the metadata document (https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration), the issuer is specified as "https://login.microsoftonline.com/{tenantid}/v2.0", which is not valid for any tenant.

If you want to allow any tenant, issuer validation should be disabled (don't know if this is possible in Cognito). If you only want to allow specific tenants, you should check for specific issuer URIs (again don't know if this is possible in Cognito).

like image 56
juunas Avatar answered Oct 22 '22 22:10

juunas