dex icon indicating copy to clipboard operation
dex copied to clipboard

Published 20 hours ago verified publisher icon dexidp

cognito oidc userinfo error

Open kernel164 opened this issue 5 years ago • 6 comments

I tried to configure dex with cognito

connectors:
              - type: oidc
                id: cognito
                name: Cognito
                config:
                  issuer: $COGNITO_ISSUER
                  clientID: $COGNITO_CLIENT_ID
                  clientSecret: $COGNITO_CLIENT_SECRET
                  redirectURI: https://dex.domain/callback
                  scopes:
                    - openid
                    - email
                    - profile
                  getUserInfo: true
                  claimMapping:
                    name: email
                    groups: "cognito:groups"

Got this.

Failed to authenticate: oidc: error loading userinfo: oidc: failed to decode userinfo: json: cannot unmarshal string into Go struct field UserInfo.email_verified of type bool

kernel164 avatar Oct 10 '20 19:10 kernel164

exactly similar to this => https://github.com/pomerium/pomerium/issues/775

kernel164 avatar Oct 10 '20 19:10 kernel164

If I remove "getUserInfo: true", I get Internal Server Error Failed to authenticate: missing "name" claim

kernel164 avatar Oct 11 '20 09:10 kernel164

made it work using the following setting.

            connectors:
              - type: oidc
                id: cognito
                name: Cognito
                config:
                  issuer: $COGNITO_ISSUER
                  clientID: $COGNITO_CLIENT_ID
                  clientSecret: $COGNITO_CLIENT_SECRET
                  redirectURI: https://dex.{{ template "app.domain" . }}/callback
                  scopes:
                    - openid
                    - email
                    - profile
                  # getUserInfo: true # fails
                  insecureSkipEmailVerified: true
                  insecureEnableGroups: true
                  userNameKey: "cognito:username"
                  claimMapping: # supported in v2.25.0
                    groups: "cognito:groups"

getUserInfo: true if enabled, fails though.

kernel164 avatar Oct 11 '20 15:10 kernel164

@kernel164 Hello, are you able to share how you managed to get this working. My setup is complaining about invalid scope.Not sure what we're doing wroing.

kofiray avatar May 18 '21 17:05 kofiray

My setup is complaining about invalid scope

For me, Invalid scope was happening was happening on the "connector" side, but the error message did not make that clear.

I had missed giving the "profile" scope to the dex app integration in cognito.

hef avatar Mar 08 '22 20:03 hef

I encountered this issue. I solve this problem by setting below

  connectors:
    - type: oidc
      id: keycloak
      name: keycloak
      config:
        issuer: $KEYCLOAK_ISSUER
        clientID: $KEYCLOAK_CLIENT_ID
        clientSecret: $KEYCLOAK_CLIENT_SECRET
        redirectURI: http://127.0.0.1:8080/callback
        scopes:
          - openid
          - email
          - profile
        insecureSkipEmailVerified: true
        insecureEnableGroups: true            
        userNameKey: preferred_username

Thanks for help @kernel164

jinsoo-youn avatar Jul 27 '22 02:07 jinsoo-youn