Shibboleth OIDC and AWS Cognito
Liam Hoekenga
liamr at umich.edu
Wed Jul 10 11:59:01 EDT 2019
Acc'd to the well-known info, it looks like the extension supports...
"token_endpoint_auth_methods_supported":[
"client_secret_basic",
"client_secret_post",
"client_secret_jwt",
"private_key_jwt"
],
The spec fo OIDC dynamic registration (which is a good reference as to what
can go into the OIDC metadata) seems to suggest that
"token_endpoint_auth_method" is a single string. In the spec, if an item
takes an array, it's specifically mentioned..
token_endpoint_auth_method
OPTIONAL. Requested Client Authentication method for the Token
Endpoint. The options are client_secret_post, client_secret_basic,
client_secret_jwt, private_key_jwt, and none, as described in Section 9
of OpenID Connect Core 1.0 [OpenID.Core]. Other authentication
methods MAY be defined by extensions. If omitted, the default is
client_secret_basic -- the HTTP Basic Authentication Scheme specified in
Section 2.3.1 of OAuth 2.0 [RFC6749].
Liam
On Wed, Jul 3, 2019 at 10:34 AM Wessel, Keith <kwessel at illinois.edu> wrote:
> Thanks, Liam. That seems to have fixed it. I assume valid values for this
> parameter are client_secret_post and client_secret_basic? Can only one be
> specified in the client metadata, or can both be specified so either will
> work dynamically?
>
>
>
> Keith
>
>
>
>
>
> *From:* users <users-bounces at shibboleth.net> *On Behalf Of *Liam Hoekenga
> *Sent:* Tuesday, July 2, 2019 5:13 PM
> *To:* Shib Users <users at shibboleth.net>
> *Subject:* Re: Shibboleth OIDC and AWS Cognito
>
>
>
> You can tell the IDP to use client_secret_post by adding this to the
> metadata for the given SP...
>
> "token_endpoint_auth_method":"client_secret_post"
>
>
>
> Liam
>
>
>
> On Tue, Jul 2, 2019 at 4:04 PM Wessel, Keith <kwessel at illinois.edu> wrote:
>
> Hi, all,
>
> Has anyone attempted to use AWS Cognito as a client against a Shibboleth
> IdP with OIDC support? Our developers are trying this and running into an
> error that I've seen before with locally developed clients:
> 2019-07-02 15:49:08,600 - WARN
> [org.geant.idpextension.oidc.profile.impl.ValidateEndpointAuthentication:206]
> - Profile Action ValidateEndpointAuthentication: Unrecognized client
> authentication com.nimbusds.oauth2.sdk.auth.ClientSecretPost at 35f57c94 for
> client_secret_basic
>
> The fix for the locally developed client was to use http basic auth for
> the client authentication, but we don't seem to have that flexability with
> Cognito. Does anyone know what combination of settings for a Cognito user
> pool or client configuration in Cognito land works with the Shib OIDC
> implementation?
>
> Thanks,
> Keith
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190710/996c65c7/attachment.html>
More information about the users
mailing list