Retool and AWS Cognito as OIDC

Hello people!

We are trying to setup AWS Cognito as an OPenID provider to use our user pool as a single source of truth across our infra.

Using this doc https://docs.retool.com/docs/sso-generic-openid-provider#setting-up-single-sign-on I was able to get “Sign in with SSO” option and redirected properly to SSO page.

Now I’ve tried few option:

  1. Newly created user, which have to change password - password is accepted, the next step is to change password - after changing the password I’ve got the error “An error occured” ( I believe this one from Cognito side)
  2. Existing user, after auth with SSO get this error in browser:
    {"statusCode":400,"data":"{\"error\":\"invalid_client\"}"}
    and in logs:
 Error: {"statusCode":400,"data":"{\"error\":\"invalid_client\"}"}                                                                                                                                                                          
     at /snapshot/backend/transpiled/common/oauth.js                                                                                                                                                                                        
    at /snapshot/backend/node_modules/oauth/lib/oauth2.js:191:18                                                                                                                                                                           
     at passBackControl (/snapshot/backend/node_modules/oauth/lib/oauth2.js:132:9)                                                                                                                                                         
     at IncomingMessage.<anonymous> (/snapshot/backend/node_modules/oauth/lib/oauth2.js:157:7)                                                                                                                                              
     at IncomingMessage.emit (events.js:327:22)                                                                                                                                                                                             
     at IncomingMessage.EventEmitter.emit (domain.js:482:12)                                                                                                                                                                                
     at endReadableNT (_stream_readable.js:1221:12)                                                                                                                                                                                         
     at processTicksAndRejections (internal/process/task_queues.js:84:21)                                                                                                                                                                   
 {"requestId":"6b0fb08-a275-41c08a836e8d","message":{"method":"GET","url":"/oauth2sso/callback?code=e5c81d1c75c&state=7ed7b961808d06e","hostname":"https://rtl.hostname.com","type":"REQUEST_FINISH","statusCode":302},"level":"info","timestamp":"2021-02-05T09:12:29.566Z"}                                                                                                                                               

and after that attempt I am not able to get to SSO login page - this error showed in browser(until cookies are cleared or private window is used):
{"statusCode":400,"data":"{\"error\":\"invalid_client\"}"}

Our retool resides in EKS k8s cluster, env:

CUSTOM_OAUTH2_SSO_SCOPES=openid profile email
CUSTOM_OAUTH2_SSO_AUTH_URL=https://domain.auth.region.amazoncognito.com/oauth2/authorize
CUSTOM_OAUTH2_SSO_JWT_EMAIL_KEY=idToken.email
CUSTOM_OAUTH2_SSO_CLIENT_SECRET=sfvkehruo275hgioqejwrifphweo
CUSTOM_OAUTH2_SSO_CLIENT_ID=kuvsh8923ujgo;wekv
CUSTOM_OAUTH2_SSO_TOKEN_URL=https://domain.auth.region.amazoncognito.com/oauth2/token

JIT user provisioning is turned on in retool admin area.

Cognito side:
callback - https://rtl.hostname.com/oauth2sso/callback
Flow - Authorization code grant
Scopes - openid, profile, email

Security groups allow communication between Cognito and retool. Also, on the same cluster I successfully configured grafana with cognito.

Could please someone give me a hand?

Thanks,
Ivan

P.S. I did thorough search on the internet and spent around 6 hours for debug before posting this.