cognito-local icon indicating copy to clipboard operation
cognito-local copied to clipboard

Published 20 hours ago verified publisher icon jagregory

openid-configuration endpoint does not exist

Open root0x opened this issue 2 years ago • 6 comments

For spring boot to decude a signed JWT it needs an issuer endpoint which for cognito is https://cognito-idp.${aws-region}.amazonaws.com/${cognito_pool_id} . An example of the response is

  "authorization_endpoint": "",
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "issuer": "https://cognito-idp.${aws-region}.amazonaws.com/${cognito_pool_id}",
  "jwks_uri": "https://cognito-idp.${aws-region}.amazonaws.com/${cognito_pool_id}/.well-known/jwks.json",
  "response_types_supported": [
    "code",
    "token"
  ],
  "scopes_supported": [
    "openid",
    "email",
    "phone",
    "profile"
  ],
  "subject_types_supported": [
    "public"
  ],
  "token_endpoint": "",
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post"
  ],
  "userinfo_endpoint": ""
}

Some of the information is not needed for spring boot to function. The only keys from that JSON object that are needed are issuer and jwks_uri for spring boot to function. I will submit a PR for this

root0x avatar Dec 09 '22 12:12 root0x

The submitted PR adds the endpoint which returns a subset of the open id configuration endpoint enough that spring boot works and can find the jwks.json endpoint. Please review

root0x avatar Dec 09 '22 15:12 root0x

the same endpoint would be needed for quarkus framework also i think.

See:

  • https://quarkus.io/guides/security-openid-connect

Quote: quarkus.oidc.auth-server-url The base URL of the OpenID Connect (OIDC) server, for example, https://host:port/auth. OIDC discovery endpoint will be called by default by appending a '.well-known/openid-configuration' path to this URL.

so it seems that ".well-known/openid-configuration" should be available. Here an example of a cognito pool that provides this:

  • https://cognito-idp.us-west-2.amazonaws.com/us-west-2_Knm7CFToH/.well-known/openid-configuration

funkrusher avatar Apr 08 '23 14:04 funkrusher

When can we expect these changes to be merged into the new version?

zistow avatar May 23 '23 09:05 zistow

I'll take a look.

jagregory avatar May 23 '23 09:05 jagregory

I got the same problem :(. I would like to use your COGNITO for my team to work locally, but this BUG is breaking this intention. I appreciate if you give a time expectancy. Thank's

lucianogalvaodesousa avatar Jun 16 '23 02:06 lucianogalvaodesousa

@lucianogalvaodesousa you can use my fork https://github.com/root0x/cognito-local/tree/openid-configuration I have fixed that issue there

root0x avatar Aug 29 '23 07:08 root0x

Hi @jagregory, the endpoint is needed for next auth too. Can you have a look at the PR? If you have any remarks, I can help to work them in. Best, Tobias

lippertto avatar Feb 19 '24 18:02 lippertto

Any updates on this? Would be great if the PR gets merged.

ngoc-quoc-huynh avatar Mar 06 '24 12:03 ngoc-quoc-huynh

Same, would be nice if someone presses merge

martijnboers avatar Mar 21 '24 14:03 martijnboers

I've merged the PR and published a new release: https://github.com/jagregory/cognito-local/releases/tag/v3.23.3

As you can all tell, my current work doesn't overlap much with Cognito so this tool isn't getting much attention. If anyone is interested in helping as a maintainer, let me know.

jagregory avatar Mar 21 '24 21:03 jagregory