I am trying to add a cognito auhtentification to my load balancer following https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html?icmpid=docs_elbv2_console.

When I setup the authentification process, I have only the "oidc" type, but I expect a "cognito" type :

When I try the rest api, I have the same problem

Action type 'authenticate-cognito' must be one of 'redirect,fixed-response,forward,authenticate-oidc'

cognito is not available.

Am i missing some permissions ? I am an AmazonCognitoPowerUser

I had the exact same issue on region eu-west-3 and it's probably a bug at Amazon that costed me a day of my life.
Good thing is you can actually configure Authenticate OIDC to behave exactly like Authenticate Cognito:

• Issuer: https://cognito-idp.eu-west-3.amazonaws.com/[pool-id] (make sure to use pool-id and not pool-name)
• Authorization endpoint: https://[pool-name].auth.eu-west-3.amazoncognito.com/oauth2/authorize
• Token endpoint: https://[pool-name].auth.eu-west-3.amazoncognito.com/oauth2/token
• User info endpoint: https://[pool-name].auth.eu-west-3.amazoncognito.com/oauth2/userInfo

The other info to fill should be straightforward.
Make sure to select your scope(s) in the advanced settings and to allow HTTPS outbound traffic on your load balancer security group.

The Callback URL of your App client in Cognito should be:

• https://[CNAME]/oauth2/idpresponse if using a custom domain to access your final app
• https://[DNS]/oauth2/idpresponse if using the load balancer DNS name to access your final app

I had the same issue, I was on eu-west-3,

By switching in eu-west-1 or us-east it works perfectly,

I guess the option isn't fully deployed yet