We're using the Cognito Authentication server to log in users via SAML and OIDC from a custom frontend UI. The AUTHORIZATION endpoint URL (ie. https://mydomain.auth.us-east-1.amazoncognito.com/oauth2/authorize?) is being constructed in a client-side JS app and the user is being redirected using JS (ie. window.location) Note: We're using the Amplify-JS Auth module to do this.
I'm struggling with error handling...
The documentation outlines error responses here https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html
One error case from Docs:
If client_id and redirect_uri are valid, but the request parameters have other problems (for example, if response_type is not included; if code_challenge is supplied but code_challenge_method is not supplied; or if code_challenge_method is not 'S256'), the authentication server redirects the error to client's redirect_uri.
HTTP 1.1 302 Found Location: https://client_redirect_uri?error=invalid_request
In this case, we removed the response_type
parameter, but the user was redirected to the hosted UI:
HTTP 1.1 302 Found Location: https://mydomain.auth.us-east-1.amazoncognito.com/error?error=Required+parameters+missing
We've tried a few other error cases, ie providing an unknown identity_provider
and the same happens...the user is redirected to the hosted UI.
Is this a known issue? Should the AUTHORIZATION endpoint be working as the docs describe?