Shibboleth OIDC and AWS Cognito

Liam Hoekenga liamr at
Tue Jul 2 18:13:14 EDT 2019

You can tell the IDP to use client_secret_post by adding this to the
metadata for the given SP...


On Tue, Jul 2, 2019 at 4:04 PM Wessel, Keith <kwessel at> wrote:

> Hi, all,
> Has anyone attempted to use AWS Cognito as a client against a Shibboleth
> IdP with OIDC support? Our developers are trying this and running into an
> error that I've seen before with locally developed clients:
> 2019-07-02 15:49:08,600 - WARN
> [org.geant.idpextension.oidc.profile.impl.ValidateEndpointAuthentication:206]
> - Profile Action ValidateEndpointAuthentication: Unrecognized client
> authentication com.nimbusds.oauth2.sdk.auth.ClientSecretPost at 35f57c94 for
> client_secret_basic
> The fix for the locally developed client was to use http basic auth for
> the client authentication, but we don't seem to have that flexability with
> Cognito. Does anyone know what combination of settings for a Cognito user
> pool or client configuration in Cognito land works with the Shib OIDC
> implementation?
> Thanks,
> Keith
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list