Login/Register
Using Microsoft as an IdP in AWS Cognito
Asked Answered
amazon-web-servicesopenidamazon-cognitomicrosoft-account
S

1

5

I'm trying to implement social login using Microsoft account in AWS Cognito User Pools.

I have followed the documentation from AWS for Cognito in order to configure the User Pool to allow OpenID Connect authentication: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-provider.html#cognito-user-pools-oidc-providers

And the documentation to use Microsoft as an Identity Provider: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc - using V2 endpoint is necessary from what i understand if I've registered an app at Microsoft here: https://apps.dev.microsoft.com and I want to authenticate @live accounts

So I have followed these steps:

  • Registered an app at Microsoft: https://apps.dev.microsoft.com/ and added a web platform to the config with a redirectURL: https://myapp.com/socialSignIn
  • Set up the User Pool in AWS Cognito and added an app client for it
  • Configured an OpenID Connect Provider for the user pool with the needed Microsoft config data (application Id and private key from the registered app at Microsoft and authentication/token/UserInfo/Jwks endpoints from https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration)
  • Configured the app client in Cognito to use Microsoft as Identity Provider and added the allowed OAuth flows to be code grant and enabled openId as allowed OAuth scopes and added a callback URL: https://myapp.com/socialSignIn (the same url as the one configured for the Microsoft app)
  • Configured the Amazon Cognito domain name for the User Pool in order to use the build in sign-in page

So I'm trying to test the social login flow using the sign-in page that is provided by Amazon Cognito that is accessible under the URL: https://sso-module.auth.eu-central-1.amazoncognito.com/login?response_type=code&client_id=19tsqvqibqpg617c5kplhqjuba&redirect_uri=https://myapp.com/socialLogin

After choosing to do login with the configured Microsoft IDP I am redirected to the Microsoft login page and after entering my microsoft live account username I get the error: The provided value for the input parameter 'redirect_uri' is not valid. The expected value is 'https://login.live.com/oauth20_desktop.srf' or a URL which matches the redirect URI registered for this client application

Also when I get redirected to the Microsoft login page I see in the URL that the redirect_url param is set to the cognito sign-in page, not the url that I have configured in cognito for the app client

Have I missed something or what should I do to make this work?

Sputter answered 13/12, 2018 at 13:33 Comment(1)
Did you get this to work?Appenzell
B
8

I fixed it by settings https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0 as issuer in my Microsoft OIDC Provider in Cognito.

I also configured the attributes mapping for name and email for this provider.

The redirect url configured in https://apps.dev.microsoft.com/#/application/{your app id} must be https://{your Amazone Cognito Domain}/oauth2/idpresponse

And you need to enable the provider in the App Integration > App client settings of your Cognito User Pool

Browne answered 19/5, 2019 at 10:42 Comment(1)
This is a solution indeed if you only have to make your application work with all private microsoft accounts, but if you have to make your application work with private accounts and any education and work tenant (multi tenant app) - then this won't work - see this question: https://mcmap.net/q/807438/-microsoft-oidc-in-aws-cognito-allowing-multiple-tenants/5276779Puffer

© 2022 - 2024 — McMap. All rights reserved.