Federated Authentication flow - AWS Cognito as IDP - Microsoft Entra MultiTenant app
Federated authentication flow fails to conclude with the following error message:
error_description=Bad+id_token+issuer+https://login.microsoftonline.com/{{tenant_uuid}}/v2.0&error=invalid_request
Landscape:
- Globally unique ASP.NET web application responsibe to conclude with the initial authentication (.NET 8.0 ASP.NET hosting an Angular client app + providing backend API for auth flows)
- AWS Cognito as Identity provider
- Azure Enterprise application (Multitenant) which is used for the authentication process
1. The user clicks the "Sign in with Microsoft" button --> gets redirected to Cognito (https://{{myDomain}}.auth.{{aws-region}}.amazoncognito.com/oauth2/authorize) passing a clientId --> clientId resolved in Cognito, matched with a registered App within --> User gets redirected to the login URL defined for the app --> user concluded with the authentication --> user gets redirected to cognito --> user gets redirected to the redirect URI
The user gets redirected properly to the Microsoft Entra login page:
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id={{client_uuid}}&redirect_uri=https://{{myDomain}}.auth.{{aws-region}}.amazoncognito.com/oauth2/idpresponse&scope=openid&response_type=code&state={{state_part_1}}.{{state_part2}}.{{state_part3}}
Authentication completed and user gets redirected to the registered return URI.
I have played a bit around and if I change the Issuer in Cognito to be specific for my tenant: https://login.microsoftonline.com/{{entra_tenant_uuid}}/v2.0 - I can authenticate successfully.
Though, in case of external tenants, this will result in an error because the issuer is invalid.
Changing the issuer to https://login.microsoftonline.com/common/v2.0 -as documented-, not even I can conclude with the authentication and flow ends up in the above error.
I would appreciate any help, suggestion where to look for errors.
Thanks in advance!5 Replies
I ain't having a PLUS subscription in AWS Cognito, thus I can't see logs there.
I failed to find relevant logs in Azure logs. 😦
just for references:
AWS documentation how to establish 3rd party OIDC auth flow https://docs.aws.amazon.com/cognito/latest/developerguide/open-id.html
and here
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-oidc-flow.html
Stack Overflow
Microsoft oidc in AWS Cognito allowing multiple tenants
I'm trying to implement social login using Microsoft account in AWS Cognito User Pools.
I followed documentation and the solution mentioned in this thread:
https://forums.aws.amazon.com/thread.jspa?
welcome to cognito, it's special
thx, yeah I have posted it to AWS discord as well.
just for the record, I have contacted AWS support and got confirmation that out-of-the-box multitenancy is not supported
the solution I have chosen is
1. use MSAL to initiate the PKCE auth flow on the client side - https://github.com/AzureAD/microsoft-authentication-library-for-js/tree/dev/lib/msal-angular
2. I have used the redirect approach (it is a bit poorly documented on the webpage, but chatGPT could fill the gap). Popup flow was very much straight forward, but redirect was a bit off for my usecase.
3. I pass access token and idToken to the backend API.
4. Backend validates the accessToken with Microsoft
5. validate the aud of the idToken (to ensure that it match the clientId of my App registration in Entra)
6. if all valid, take the claims from the token (uid, iss, tid, etc.) and look it up from the internal identity storage and create/update with new info
7. Check status of user in Cognito and create/update with the new login data.
8. proceed with post-auth processing on the backend/client side.
GitHub
microsoft-authentication-library-for-js/lib/msal-angular at dev · A...
Microsoft Authentication Library (MSAL) for JS. Contribute to AzureAD/microsoft-authentication-library-for-js development by creating an account on GitHub.