By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How can I configure or redirect the /error endpoint from Cognito User Pool Hosted UI?

0

One of our OIDC providers doesn't send the required state parameter with their requests to our Cognito User Pool hosted UI. (To be clear, we don't want to bypass that).

As expected, hosted UI routes to: https://[our-cognito-hosted-ui-domain]/error?code=[authorization_code]

When logging into our app from the provider, they will not provide the state param -- their instructions were to trigger a login from our side, which works fine (we can initiate a login from our app to the provider -- if the user is logged in with the provider everything works fine and if not, they can enter their credentials on the provider's login page and we get the authorization_code properly). But, I don't know how to redirect that /error endpoint.

The Hosted UI domain builds a "hidden" CloudFront distribution. If it wasn't hidden, I'd be able to put redirect or error page logic. Is there a way to access that distribution? (I don't know its ID, only its URL, which is used in the CNAME record). I feel like I got close using an S3 bucket / CloudFront distribution / A record to try and handle the /error path, but couldn't get that working either.

Has anyone successfully intercepted the /error path and done something with it?

Much appreciated,

Robert Sorkin

Topics
Security, Identity, & ComplianceNetworking & Content Delivery
Tags
Amazon CognitoAmazon CloudFrontAmazon Cognito User Pools
Language
English
robmsor
asked a month ago122 views
2 Answers
0

This can be achieved by adding a custom rule in Cognito Integrated WAF. Redirect URI path '/error' to your own url/page.

If you found the rule does not work with 302 response code and custom response header 'Location', add an additional response JSON body may do the trick. I tested with that and worked as expected.

BTW, this currently, Apr 2025, only works with Hosted UI v1. Managed UI, aka Hosted UI v2 does not support WAF integration yet.

profile pictureAWS
Yungang
answered a month ago
profile pictureAWS
EXPERT
Derek Ziehl
reviewed a month ago
  • robmsor
    a month ago

    This is great information - thank you! Of course we're using the Managed UI :-(

  • Yungang
    a month ago

    The good news is, Managed UI started to support WAF integration from April 21, 2025. :-) Just released. The only issue is, if you ever enabled WAF rules while using Managed UI in prior to that date, you would need to disable/remove the rule and recreate it.

0

Unfortunately, there isn't a direct way to configure or redirect the /error endpoint from the Cognito User Pool Hosted UI. The Hosted UI is a managed service provided by AWS Cognito, and its error handling is not customizable in the way you're looking for.

The hidden CloudFront distribution that Cognito uses for the Hosted UI is not accessible or configurable by users. This means you can't modify its behavior or add custom error pages or redirects at that level.

While it's not possible to intercept or customize the /error path directly within the Cognito Hosted UI, there are a couple of alternative approaches you might consider:

  1. Instead of relying on the Hosted UI, you could implement a custom UI for your application. This would give you full control over the authentication flow and error handling, allowing you to manage situations where the state parameter is missing.

  2. You could implement a proxy or middleware layer in your application that intercepts requests before they reach the Cognito Hosted UI. This could potentially allow you to add the missing state parameter or handle errors before they reach the Cognito error page.

  3. If possible, work with your OIDC provider to ensure they send the required state parameter. This is the most straightforward solution, as it addresses the root cause of the issue.

  4. You could implement WAF with the rule that redirect anything /error path to URL that you want.

It's worth noting that the state parameter is an important security feature in OAuth 2.0 flows, used to prevent cross-site request forgery (CSRF) attacks. Bypassing this requirement is not recommended from a security standpoint.

If none of these options are feasible, you may need to reach out to AWS support for further assistance or to request this feature. They might be able to provide more specific guidance based on your use case or consider adding this functionality in future updates to the service.
Sources
Updating a Cognito Login Error Message | AWS re:Post
The managed login sign-out endpoint: /logout - Amazon Cognito

profile picture
re:Post Agent
answered a month ago
AWS
SUPPORT ENGINEER
Vishal_J
revised a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content