Error while implementing Azure AD as OIDC provider in AWS Cognito - (401 error getting token)

Hi, We tried to implement Azure Active Directory SSO (Microsoft Login) in our Cognito UserPool via Open ID Connect using the instructions available on https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-provider.html#cognito-user-pools-oidc-providers .

The steps we followed:

We created an Azure App (https://portal.azure.com) and linked it to Cogntio userpool by providing following OIDC details.

1. Issuer: https://login.microsoftonline.com/common/v2.0
2. Client ID: Client ID of the Azure Application
3. Attributes request method : GET
4. Authorize scope: openid email
5. Client Secret: Client Secret of the Azure Application.

Once we created the OIDC, we enabled it in our app client settings and matched the relevant attributes such as email in Attributes Mapping section.

In our Azure App, we provided the following settings

1. redirect URI: https://{{Cognito_Hosted_UI_Domain}}/oauth2/idpresponse

Now at Cognito Hosted UI, while trying to login, we are able to see the Microsoft Login oAuth Popup, but once we sign in, we are redirected back to our callback url with the error message on callback url https://{{callback_url_domain}}/cb?error_description=Microsoft+Error+-+401+error+getting+token&error=invalid_request

We checked the Azure Portal Sign-Ins Tab and we could see that our logins are successful. So we are assuming that this is a problem from Cognito Side.

It would be helpful if we could some guidance on this issue.

UPDATE:

The 401 Error occurred because I had passed the client secret id instead of client secret value. This resulted in new following error

https://<CallBackURL>/cb?error_description=Bad+id_token+issuer+https%3A%2F%2Flogin.microsoftonline.com%2F<AzureADTenanatID>%2Fv2.0&error=invalid_request

We contacted AWS Support regarding this and they responded saying

Cognito doesn't yet support multi-tenant authentication. As per the current implementation of Cognito, issuer we register in Cognito for the OIDC provider must correspond to "iss" attribute in ID token sent by your IdP for successful authentication into Cognito. In your configuration, you are trying to set the Issuer URL in Cognito as ""https://login.microsoftonline.com/common/v2.0 "", however the issuer URL sent for any tenant is in the format, "https://login.microsoftonline.com/{tenant_id}/v2.0 " which results in a issuer URL mismatch. As Cognito expects the issuer URL to be exact match, you would observe "Bad id_token issuer" error. 

They also assured that there is an existing feature request with their internal service team for multi-tenant support for OICD providers with Cognito but can't share the ETA for this feature and asked us to keep an eye on the following pages for new features

• https://aws.amazon.com/new/
• https://aws.amazon.com/blogs/aws/tag/announcements/
• https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-document-history.html