By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cognito AUTHORIZATION endpoint - Error handling

0

We're using the Cognito Authentication server to log in users via SAML and OIDC from a custom frontend UI. The AUTHORIZATION endpoint URL (ie. https://mydomain.auth.us-east-1.amazoncognito.com/oauth2/authorize?) is being constructed in a client-side JS app and the user is being redirected using JS (ie. window.location) Note: We're using the Amplify-JS Auth module to do this.

I'm struggling with error handling...

The documentation outlines error responses here https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html

One error case from Docs:

If client_id and redirect_uri are valid, but the request parameters have other problems (for example, if response_type is not included; if code_challenge is supplied but code_challenge_method is not supplied; or if code_challenge_method is not 'S256'), the authentication server redirects the error to client's redirect_uri.

HTTP 1.1 302 Found Location: https://client_redirect_uri?error=invalid_request

In this case, we removed the response_type parameter, but the user was redirected to the hosted UI:

HTTP 1.1 302 Found Location: https://mydomain.auth.us-east-1.amazoncognito.com/error?error=Required+parameters+missing

We've tried a few other error cases, ie providing an unknown identity_provider and the same happens...the user is redirected to the hosted UI.

Is this a known issue? Should the AUTHORIZATION endpoint be working as the docs describe?

Topics
ComputeFront-End Web & MobileSecurity, Identity, & Compliance
Tags
Website ProvisioningAWS AmplifyAmazon Cognito
Language
English
robsquires
asked 2 years ago969 views
2 Answers
0

Hi,

If you have provided a valid client_id and redirect_uri then the behavior should be as documented. if this is not the case then please open a support case and we will investigate the behavior further based on the setup you have in your account.

AWS
EXPERT
Mahmoud Matouk
answered 2 years ago
0

Thanks Mahmoud, Yes I can confirm we are providing a client_id and corresponding redirect_uri as is configured on our app client.

I'm trying to raise a ticket in the AWS Support Center - is that the right place, it doesn't look like it's possible on the account I'm using - "Technical support is unavailable under Basic Support Plan" Thanks

robsquires
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content