openid-connect-generic icon indicating copy to clipboard operation
openid-connect-generic copied to clipboard

Published 20 hours ago verified publisher icon oidc-wp

ERROR invalid-user-claim on AWS cognito

Open Emanuele-iltk opened this issue 4 years ago • 6 comments

identity provider: aws cognito wordpress version: 5.6 php version: 7.4

i’m using aws cognito for my sso the connection with cognito is working, but when i insert my data for login, the site respond ERROR invalid user claim immagine

would it be possipble that the error is the identity or nickname key? now i insertd the examples values oter parametres are: Scope: openid Login Endpoint URL: my.domain.org/oauth2/authorize Userinfo Endpoint URL: my.domain.org/oauth2/UserInfo Token Validation Endpoint URL: my.domain.org/oauth2/token: my.domain.org/oauth2/logout Disable SSL Verify: true Email Formatting: {email} Display Name Formatting: {family_name} Identify with User Name: false Link Existing Users: true Create user if does not exist: true

any suggestion for fix the problem?

thank Emanuele

Emanuele-iltk avatar Jan 26 '21 13:01 Emanuele-iltk

@Emanuele-iltk so as I was looking the AWS Cognito documentation it looks like this may be related to the requirement that Basic Authorization is to be used with AWS Cognito but the plugin currently only supports POST Authorization. There is an open issue reporting this for another IDP. I might see about setting up an AWS Cognito instance for further testing as well to confirm this. I did a quick Google and found this guide on setting up AWS Cognito as an OIDC IDP. I'm wondering if you can check that guide against your setup and see if there is a misconfiguration?

timnolte avatar Jan 29 '21 05:01 timnolte

@Emanuele-iltk I ran into the same issue - have you tried setting your userInfo path to use a lower case U:

/oauth2/userInfo

This worked for me.

jamiewildehk avatar Feb 17 '21 05:02 jamiewildehk

@Emanuele-iltk so I did setup my own AWS Cognito instance and have this working properly. I will provide some documentation guidance in the wiki for this IDP soon.

timnolte avatar Apr 07 '21 04:04 timnolte

I am using the plugin with Cognito in production with mostly fine results. (a couple of "Invalid State" messages - 180 seconds default is not long enough for many users to validate their email during sign up)

jamiewildehk avatar Apr 07 '21 04:04 jamiewildehk

Have you published cognito instructions? I looked through wiki but couldn't find anything. I have configured everything but I get error when I click on the login button. In console I see 403 error

cognito

sarfrazhooda1 avatar Apr 15 '21 01:04 sarfrazhooda1

@sarfrazhooda1 I haven't had a chance to update the wiki yet. I need to focus on some redirect & bug fixes. I should be able to get something documented soon.

timnolte avatar Apr 16 '21 12:04 timnolte