Shibboleth OIDC and AWS Cognito

[Wessel, Keith]

Thanks, Liam. That seems to have fixed it. I assume valid values for this parameter are client_secret_post and client_secret_basic? Can only one be specified in the client metadata, or can both be specified so either will work dynamically?

Keith


From: users <users-bounces at shibboleth.net> On Behalf Of Liam Hoekenga
Sent: Tuesday, July 2, 2019 5:13 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Shibboleth OIDC and AWS Cognito

You can tell the IDP to use client_secret_post by adding this to the metadata for the given SP...
    "token_endpoint_auth_method":"client_secret_post"

Liam

On Tue, Jul 2, 2019 at 4:04 PM Wessel, Keith <kwessel at illinois.edu<mailto:kwessel at illinois.edu>> wrote:
Hi, all,

Has anyone attempted to use AWS Cognito as a client against a Shibboleth IdP with OIDC support? Our developers are trying this and running into an error that I've seen before with locally developed clients:
2019-07-02 15:49:08,600 - WARN [org.geant.idpextension.oidc.profile.impl.ValidateEndpointAuthentication:206] - Profile Action ValidateEndpointAuthentication: Unrecognized client authentication com.nimbusds.oauth2.sdk.auth.ClientSecretPost at 35f57c94 for client_secret_basic

The fix for the locally developed client was to use http basic auth for the client authentication, but we don't seem to have that flexability with Cognito. Does anyone know what combination of settings for a Cognito user pool or client configuration in Cognito land works with the Shib OIDC implementation?

Thanks,
Keith

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190703/3d04c020/attachment.html>