Here’s a revised version of your text:
I’ve done the below:
-
I’ve created a new user pool with 1 app client.
-
I’ve set the callback URL of my app client to
https://my-domain/oauth2/idpresponse -
I’ve added Okta as a SAML identity provider for Cognito
When I navigate to https://my-domain/my-app, I’m correctly redirected to the Cognito login page. After successful authentication through the Cognito login page, I’m redirected to my application home page.
However, despite response_type=code being set in the Cognito URL indicating that an auth code should be appended to my URL upon successful login, this isn’t happening.
The page https://my-domain/oauth2/idpresponse?code=code-I-need is accessed but then bypassed, leading directly to my application page without the auth code appended.
I attempted to change the callback URL to https://my-domain/my-app for my app client, but this resulted in a redirect_mismatch error in Cognito. It appears that oauth2/idpresponse must be included in the callback.
I manually modified the Cognito URL redirect_uri variable to redirect_uri=https://my-domain/my-app, which worked. I landed on my app page with the URL https://my-domain/my-app?code=code-I-need.
However, I’ve had to keep both callback URLs in my app client:
https://my-domain/oauth2/idpresponsehttps://my-domain/my-app.
How can I set https://my-domain/my-app as the default redirect_uri variable in the Cognito URL without having to manually change it?
2
Answers
AWS Cognito has the role of an OAuth authorization server. It can integrate with external identity providers (IDPs), such as Google Sign In.
When it does, the external IDP will post its response to Cognito’s
/oauth/idp/responselocation. This would contain Google’s authorization code. Cognito will then process the IDP’s authorization code and issue its own authorization code to your app.Your own app should use a value such as
https://yourappdomain/callbackinstead. It will then receive the AWS Cognito authorization code. My blog post shows how a federated login works.You do not seem to need a federated login, so you should not need to configure the
/oauth/idp/responsepath. So just changing the redirect_uri to a location within the app feels like the right action.TLDR: ensure you generate a new URL for logging in via the View Hosted UI button after making changes to the callback URL(s) for your app client
There are no requirements for you to have
oauth2/idpresponsein your app client’s allowed callback URLs. As the docs mention, theoauth2/idpresponseandsaml/idpresponseare endpoints that Cognito uses for handling the responses from OpenID Connect (OIDC) and SAML identity providers (IdPs). They’re there to manage the relationship between Cognito & the IdP and have nothing to do with your app client – feel free to remove that callback URL as it’s not needed.The
redirect_urimismatch error indicates that the callback URL that was provided to the/oauth2/authorizeCognito endpoint, in the form of theredirect_uriquery parameter, didn’t match a callback URL allowed in the app client config.When using the Cognito hosted UI via the View Hosted UI button, the URL is auto generated for you. This URL contains the redirect URL, set to the first (or only) allowed callback URL. When you change the allowed callback URLs (or any other value that is in the login endpoint URL e.g. scopes), you can’t just use the old URL and need to re-click the button to generate a new URL.
You’re most likely still using the old URL with the
redirect_uriset to the no-longer-allowedhttps://my-domain/oauth2/idpresponsevalue and not the newhttps://my-domain/my-appURL.Make sure that after making changes to the allowed callback URL, you’re not just refreshing the old login URL & generate a new URL using the View Hosted UI button.