Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Cognito AUTHORIZATION endpoint - Error handling

0

We're using the Cognito Authentication server to log in users via SAML and OIDC from a custom frontend UI. The AUTHORIZATION endpoint URL (ie. https://mydomain.auth.us-east-1.amazoncognito.com/oauth2/authorize?) is being constructed in a client-side JS app and the user is being redirected using JS (ie. window.location) Note: We're using the Amplify-JS Auth module to do this.

I'm struggling with error handling...

The documentation outlines error responses here https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html

One error case from Docs:

If client_id and redirect_uri are valid, but the request parameters have other problems (for example, if response_type is not included; if code_challenge is supplied but code_challenge_method is not supplied; or if code_challenge_method is not 'S256'), the authentication server redirects the error to client's redirect_uri.

HTTP 1.1 302 Found Location: https://client_redirect_uri?error=invalid_request

In this case, we removed the response_type parameter, but the user was redirected to the hosted UI:

HTTP 1.1 302 Found Location: https://mydomain.auth.us-east-1.amazoncognito.com/error?error=Required+parameters+missing

We've tried a few other error cases, ie providing an unknown identity_provider and the same happens...the user is redirected to the hosted UI.

Is this a known issue? Should the AUTHORIZATION endpoint be working as the docs describe?

Themen
KalkulationFrontend-Web & MobileSicherheit, Identität & Konformität
Tags
Bereitstellung von WebsitesAWS AmplifyAmazon Cognito
Sprache
English
robsquires
gefragt vor 2 Jahren996 Aufrufe
2 Antworten
0

Hi,

If you have provided a valid client_id and redirect_uri then the behavior should be as documented. if this is not the case then please open a support case and we will investigate the behavior further based on the setup you have in your account.

AWS
EXPERTE
Mahmoud Matouk
beantwortet vor 2 Jahren
0

Thanks Mahmoud, Yes I can confirm we are providing a client_id and corresponding redirect_uri as is configured on our app client.

I'm trying to raise a ticket in the AWS Support Center - is that the right place, it doesn't look like it's possible on the account I'm using - "Technical support is unavailable under Basic Support Plan" Thanks

robsquires
beantwortet vor 2 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt