Can i use AWS cognito to provide a open id connect endpoint?
I want to use AWS cognito as a OpenId connect provider.My AWS cognito IDP will intern call my another OpenId provider to authenticate the user. It will then create its new token and hand over to callers as its own.
The OpenID provider used internally by AWS cognito pool is transparent to user. User only configures AWS cognito as its IDP provider.
User case
- User authenticates with My AWS IDP provider
- My IDP provider authenticates the user agains Googles IDP provider
- My IDP decodes the token returned by Google IDP.
- My IDP Creates new token and add additional claims.
- My IDP hands over my JWT to user.
Question
- Is this possible in AWS cognito?
- Does AWS user pool expose OpenID connect endpoint?
Answer
Cognito does provide an OpenId connect endpoint, as detailed in this blog post by @Badri
The formula for the authority is:
https://cognito-idp.{region}.amazonaws.com/{userPoolId}
And you can verify by checking the metadata URL that something is there
https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/openid-configuration
Then during client pool setup, you can federate with other OIDC providers, and also enable the OIDC provider in the app client settings. Which should enable your scenario which sounds very similar to what I would like to do. However, the blog post misses one crucial piece of configuration, which is setting a domain name for the app integration. This StackOverflow question shows the error you will receive if you do not configure this domain and links to the solution in an answer. Once I set the domain, Badri's code worked for me.