By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Where can I find additional logging related to OIDC flow in Cognito

0

I am using Cognito with an Opensearch dashboard and am trying to integrate a client with OIDC. The process starts ok the user is redirected to the IDP which forwards back to my Cognito instance with a code. However, I then immediately receive, https://<cluster_domain>/_dashboards/app/home?error_description=Response+is+malformed.&state=<something>&error=invalid_request

I have validated that the token and user endpoints function manually, is there somewhere I can get more verbose details about this invalid request.

Topics
Security, Identity, & Compliance
Tags
Amazon CognitoAmazon Cognito User Pools
Language
English
jarky
asked 2 years ago3239 views
1 Answer
1

Hello,

In regards to Cognito, I would like to shed some light on the logging capabilities -

----- CloudTrail -----

  1. Amazon Cognito is integrated with AWS CloudTrail
  2. CloudTrail captures a subset of API calls for Amazon Cognito as events, including calls from the Amazon Cognito console and from code calls to the Amazon Cognito API operations.
  3. Please note though that the Hosted UI and federation calls are currently not included in CloudTrail.

https://docs.aws.amazon.com/cognito/latest/developerguide/logging-using-cloudtrail.html

If you wanted to filter in CloudTrail a specific API call, you can use, for example, the 'EventName: ListUserPools' filter in the CloudTrail Event History console. You can also search for any API call made to your account's User Pools by using the 'Event Source: cognito-idp.amazonaws.com' filter. You can find a sample Cognito CloudTrail event log in reference here - https://docs.aws.amazon.com/cognito/latest/developerguide/logging-using-cloudtrail.html#understanding-amazon-cognito-entries

Furthermore, the CloudTrail service logs User Pool API calls that received a HTTP response from cognito-idp service. Requests that failed due to routing issues, TLS errors, or other client/server side issues are not logged in Cloudtrail.

------ Advanced Security Feature -----

The other option available in Cognito is "Advanced Security". This feature can be fully enabled or run only in audit mode which does not act on any events, but only logs login events which should allow you to see the login attempts. The "Audit Only" mode also publishes event statistics to CloudWatch. These login events are logged under each user profile which means they only log events for users who are in the system. So you will not be able to see events for non-existing users for example.

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html

------ OIDC -----

In regards to OIDC work flow - https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-oidc-flow.html

- Your user lands on the Amazon Cognito built-in sign-in page, and is offered the option to sign in through an OIDC IdP such as Salesforce.

- Your user is redirected to the OIDC IdP's authorization endpoint.

- After your user is authenticated, the OIDC IdP redirects to Amazon Cognito with an authorization code.

- Amazon Cognito exchanges the authorization code with the OIDC IdP for an access token.

- Amazon Cognito creates or updates the user account in your user pool.

- Amazon Cognito issues your application bearer tokens, which might include identity, access, and refresh tokens.

The external IdP flows logging can be best captured by HAR logs to check for any HTTP GET, POST and redirects (request and response parameters).

https://aws.amazon.com/premiumsupport/knowledge-center/support-case-browser-har-file/

Other than that if there are any authentication issues on the third party IdP side with credentials, you can try to query the log of that third party identity provider directly to check for any errors.

----- Error at hand -----

-> error=invalid_request

This would usually indicate an issue with the request parameters. "If client_id and redirect_uri are valid, but the request parameters have other problems (for example, if response_type is not included; if code_challenge is supplied but code_challenge_method is not supplied; or if code_challenge_method is not 'S256'), the authentication server redirects the error to client's redirect_uri." HTTP 1.1 302 Found Location: https://client_redirect_uri?error=invalid_request

https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html

-> "is there somewhere I can get more verbose details about this invalid request." In this specific case, to answer your question, we require details that are non-public information related to your configurations to be able to troubleshoot your environment. Please open a support case with AWS using the following link - https://console.aws.amazon.com/support/home#/case/create

profile pictureAWS
SUPPORT ENGINEER
Yash_C
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content