I am implementing a SAAS application to onboard users from Google, Microsoft.
I am trying to enable OIDC-based authentication using Microsoft accounts in AWS Cognito User Pools.
I have created an App in Microsoft Azure Entra ID, with a Multitenant category that allows any tenant from Microsoft or personal accounts.
I have added an Identity provider in the Cognito User pools, and then created a Client in the Application Integration section of the Cognito User pool that uses the newly created Microsoft identity provider.
The above configuration works well if I configure the issuer URL with my tenant id in the URL i.e., https://login.microsoftonline.com/b42efbab-8c3e-4632-a49f-86093cf0ba2c/v2.0
But ideally, this should have a common endpoint as the issuer could be any tenant.
I.e., https://login.microsoftonline.com/common/v2.0
But if I change the issuer URL to the above common URL, The correct Microsoft flow starts. Still, I assume the check for issuer in Cognito fails because Microsoft always returns the specific tenant id inside the jwt token as part of the issuer and that results In bad issuer error.
Error:
Bad+id_token+issuer+https%3A%2F%2Fsts.windows.net%2F231a9774-bca7-4379-88f3-8509c87cb5bb&error=invalid_request
Is there any way that AWS Cognito supports Multitenant Microsoft applications? Ideally, I would like to configure a built-in solution in the Cognito.
AWS OFFICIALUpdated 2 months ago
