User pool third-party OIDC - token request


I am setting up a third-party OIDC provider with my Cognito user pool that is only enabled for using the Authorization code grant. I've noticed that when AWS makes the request to my token endpoint, it includes the Client ID and Client Secret as fields in the POST request body, rather than in the Authorization header. Is there any configuration that can change this behavior to the more standard use of the Authorization header?

asked 10 months ago79 views
1 Answer
Accepted Answer


There is no configuration to change this behavior currently, Cognito uses client_secret_post when communicating with the external IdP.

answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions