AWS Cognito OIDC Customizations

707 views Asked by At

https://consumerdatastandardsaustralia.github.io/standards/#security-profile

I am trying to setup AWS Cognito as an OIDC provider. Able to create User pool however there are lots of custom data needed. Such as ".well-known/openid-configuration" of Cognito returns few details but missing introspection_endpoint, revocation_endpoint, claims_supported etc.

Similary, customization of /authorize endpoint with additional claims is needed.

Any help or suggestions would be really helpful.

Regards & Thanks

1

There are 1 answers

0
Ravenscar On

Claims can be somewhat customised with a lambda: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html

introspection_endpoint and revocation_endpoint are not core oauth and are extensions. I have found Cognito does not generally implement extensions, there are many parts of oauth2 core not implemented also.

Cognito is missing many many features you may expect to get out of the box, there is a seemingly large and opaque backlog which support constantly reference when you point out that a standard feature is missing.

  • no silent refresh capability in the hosted UI, so no safe way to store the refresh token.
  • no support for custom auth flow in the hosted UI
  • no passwordless support in the hosted UI
  • no ability to pre-populate a field in the hosted UI (e.g. username)
  • no ability to customise the plethora of obscure error messages in the custom UI
  • fixed now, but for years the email addresses were case sensitive!

If you choose not to use the hosted UI there is no way to get any oauth scopes.

There are many non-oauth cognito idp calls that you may be able to use with the access token: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-idp/index.html

If these don't fit your needs, I would suggest you consider other auth services, or adjust your expectations if you choose to move forward with Cognito. Good luck!