Shibboleth OIDC and AWS Cognito

Wessel, Keith kwessel at
Wed Jul 3 11:33:54 EDT 2019

Thanks, Liam. That seems to have fixed it. I assume valid values for this parameter are client_secret_post and client_secret_basic? Can only one be specified in the client metadata, or can both be specified so either will work dynamically?


From: users <users-bounces at> On Behalf Of Liam Hoekenga
Sent: Tuesday, July 2, 2019 5:13 PM
To: Shib Users <users at>
Subject: Re: Shibboleth OIDC and AWS Cognito

You can tell the IDP to use client_secret_post by adding this to the metadata for the given SP...


On Tue, Jul 2, 2019 at 4:04 PM Wessel, Keith <kwessel at<mailto:kwessel at>> wrote:
Hi, all,

Has anyone attempted to use AWS Cognito as a client against a Shibboleth IdP with OIDC support? Our developers are trying this and running into an error that I've seen before with locally developed clients:
2019-07-02 15:49:08,600 - WARN [org.geant.idpextension.oidc.profile.impl.ValidateEndpointAuthentication:206] - Profile Action ValidateEndpointAuthentication: Unrecognized client authentication com.nimbusds.oauth2.sdk.auth.ClientSecretPost at 35f57c94 for client_secret_basic

The fix for the locally developed client was to use http basic auth for the client authentication, but we don't seem to have that flexability with Cognito. Does anyone know what combination of settings for a Cognito user pool or client configuration in Cognito land works with the Shib OIDC implementation?


For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at<mailto:users-unsubscribe at>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list