I was trying to integrate MSF OIDC to AWS cognito userpool. Created new app registration in Azure AD with "signInAudience": "AzureADandPersonalMicrosoftAccount"
and set "issuer": "https://login.microsoftonline.com/common/v2.0"
in cognito federation and other settings. When I try to login with work or personal MSF account it's throwing "invalid_request" error with description "Bad id_token issuer"
. If, I replace the tenant_id "common"
in issuer with specific tenant_id(9188040d-6c67-4c5b-b112-36a304b66dad for example-personal MSF)
then the flow is working as expected by sending the authorization code back. Any help would be appreciated!
When you integrate AWS Single-Account Access with Azure AD, you can: Control in Azure AD who has access to AWS Single-Account Access. Enable your users to be automatically signed-in to AWS Single-Account Access with their Azure AD accounts. Manage your accounts in one central location - the Azure portal.
OpenID Connect is an authentication protocol built on top of OAuth 2.0 that can be used for secure user sign-in. Most identity providers that use this protocol are supported in Azure AD B2C.
In this step, you add an Amazon Cognito user pool as an application in Azure AD, to establish a trust relationship between them. Log in to the Azure Portal. In the Azure Services section, choose Azure Active Directory. In the left sidebar, choose Enterprise applications. Choose New application.
To add an OIDC IdP (Amazon Cognito console) Go to the Amazon Cognito console. You might be prompted for your AWS credentials. Choose Manage your User Pools. Choose an existing user pool from the list, or create a user pool. On the left navigation bar, choose Identity providers. Choose OpenId Connect. Type a unique name into Provider name.
Go to the Amazon Cognito console. You might be prompted for your AWS credentials. Choose Manage your User Pools. Choose an existing user pool from the list, or create a user pool. On the left navigation bar, choose Identity providers. Choose OpenId Connect. Type a unique name into Provider name.
AWS Amplify provides SDKs to integrate your web or mobile app with a growing list of AWS services, including integration with Amazon Cognito user pool. The federatedSign () method will render the hosted UI that gives users the option to sign in with the identity providers that you enabled on the app client (in Step 4), as shown in Figure 8.
Typically issuer validation is disabled or implemented differently in case of common endpoint.
If you see the metadata document (https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration), the issuer is specified as "https://login.microsoftonline.com/{tenantid}/v2.0"
, which is not valid for any tenant.
If you want to allow any tenant, issuer validation should be disabled (don't know if this is possible in Cognito). If you only want to allow specific tenants, you should check for specific issuer URIs (again don't know if this is possible in Cognito).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With