By using AWS re:Post, you agree to the Terms of Use

Cognito Login With Amazon "Token is not from a supported provider of this identity pool." error using JavaScript LWA

0

I have a Login With Amazon (LWA) button on a web page of mine, Configurations shows "Client ID:amzn1.application-oa2-client.87d..." LWA SDK for Javascript is configured as specified in the link. I can click the button and click to allow on the popup, and I am redirected back to the landing page with a URL https://[my/site]?success=null&access_token=Atza...&token_type=bearer&expires_in=3600&scope=profile So far so good.

On that page, I import the AWS SDK, decode the access token URI component, and attempt to get credentials from the Amazon Cognito provider

// Initialize the Amazon Cognito credentials provider
AWS.config.region = 'us-east-1'; // Region
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
    IdentityPoolId: 'us-east-1:09...REDACTED...30',
    Logins: {'www.amazon.com': accesstoken }
});
AWS.config.credentials.get((e) => console.log(e,AWS.config.credentials));

which simply returns NotAuthorizedException: Token is not from a supported provider of this identity pool. from what developer tools shows is a POST to https://cognito-identity.us-east-1.amazonaws.com/ with payload {"IdentityPoolId":"us-east-1:09...REDACTED...30","Logins":{"www.amazon.com":"Atza|Iw..."}}

The Cognito/federated identities identity pool dashboard at https://us-east-1.console.aws.amazon.com/cognito/pool/edit/?region=us-east-1&id=us-east-1:09...REDACTED...30 shows under "Authentication providers" Amazon App ID amzn1.application-oa2-client.87d... and under "Authenticated role selection" is "Choose role with rules" where the only rule has claim "email" "Contains" "@redacted.my.domain" is then applied the authenticated role with a default "Role resolution" of DENY.

Edit: I have also tried setting "Role resolution" to "Use default Authenticated role" and the same error persists.

Edit 2: I have tried changing the Logins portion of the payload to Logins: {'www.amazon.com': 'amzn1.application-oa2-client.87d...' } which results in NotAuthorizedException: Invalid login token. I'm pretty sure that's wrong since using the app ID for the token wouldn't be specific to a user but I tried it anyway since some github code did. Most github code seems to use the access token.

What is going wrong here? Why won't Cognito accept the Login With Amazon access token?

  • Ok, I am still not entirely sure why it originally failed, but I was able to have success when I added a Cognito user pool and had that use the login with amazon button. Then I set up the Cognito identity pool to use the user pool and that worked.

1 Answer
0

Hi,

Thank you for contacting us! I understand that you're concerned about receiving the following error message while trying to fetch and use credentials using a Cognito identity pool:

" NotAuthorizedException: Token is not from a supported provider of this identity pool."

  1. This issue usually occurs if the app client used for authenticating the user is different from the app client configured with the identity pool. You may confirm this by checking if the aud value in the identity token is different from what's configured in your identity pool.

If this is issue, please make sure to authenticate against the correct app client by updating your application to use the app client configured with your identity pool.

  1. Another reason for why you may face this issue is if identity pool is configured with an incorrect provider name for user pool. For configuring user pool with identity pool via API CreateIdentityPool, you need to provide the providerName and clientId. The providerName must match with the iss claim of the JWT token. In case of user pools, it is of the format:

cognito-idp.{region}.amazonaws.com/{user-pool-id}

Where {region} is the region where user pool is located at.

Note the following mentioned in the document above:

"After your app user is authenticated, add that user's identity token to the logins map in the credentials provider. The provider name will depend on your Amazon Cognito user pool ID. It will have the following structure:

cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID> The value for <region> will be the same as the region in the User Pool ID. For example, cognito-idp.us-east-1.amazonaws.com/us-east-1_123456789."

If the suggestions above do not help resolve the issue, we might need to troubleshoot based on your configurations. Could you please create a support case instead so we may discuss details on your resource configurations?

Please do not post any sensitive information over re:Post since this is a public platform.

As always, feel free to reach back with any further questions or concerns in the meantime!

SUPPORT ENGINEER
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions