Hello people!
We are trying to setup AWS Cognito as an OPenID provider to use our user pool as a single source of truth across our infra.
Using this doc SSO with OpenID providers I was able to get "Sign in with SSO" option and redirected properly to SSO page.
Now I've tried few option:
- Newly created user, which have to change password - password is accepted, the next step is to change password - after changing the password I've got the error "An error occured" ( I believe this one from Cognito side)
- Existing user, after auth with SSO get this error in browser:
{"statusCode":400,"data":"{\"error\":\"invalid_client\"}"}
and in logs:
Error: {"statusCode":400,"data":"{\"error\":\"invalid_client\"}"}
at /snapshot/backend/transpiled/common/oauth.js
at /snapshot/backend/node_modules/oauth/lib/oauth2.js:191:18
at passBackControl (/snapshot/backend/node_modules/oauth/lib/oauth2.js:132:9)
at IncomingMessage.<anonymous> (/snapshot/backend/node_modules/oauth/lib/oauth2.js:157:7)
at IncomingMessage.emit (events.js:327:22)
at IncomingMessage.EventEmitter.emit (domain.js:482:12)
at endReadableNT (_stream_readable.js:1221:12)
at processTicksAndRejections (internal/process/task_queues.js:84:21)
{"requestId":"6b0fb08-a275-41c08a836e8d","message":{"method":"GET","url":"/oauth2sso/callback?code=e5c81d1c75c&state=7ed7b961808d06e","hostname":"https://rtl.hostname.com","type":"REQUEST_FINISH","statusCode":302},"level":"info","timestamp":"2021-02-05T09:12:29.566Z"}
and after that attempt I am not able to get to SSO login page - this error showed in browser(until cookies are cleared or private window is used):
{"statusCode":400,"data":"{\"error\":\"invalid_client\"}"}
Our retool resides in EKS k8s cluster, env:
CUSTOM_OAUTH2_SSO_SCOPES=openid profile email
CUSTOM_OAUTH2_SSO_AUTH_URL=https://domain.auth.region.amazoncognito.com/oauth2/authorize
CUSTOM_OAUTH2_SSO_JWT_EMAIL_KEY=idToken.email
CUSTOM_OAUTH2_SSO_CLIENT_SECRET=sfvkehruo275hgioqejwrifphweo
CUSTOM_OAUTH2_SSO_CLIENT_ID=kuvsh8923ujgo;wekv
CUSTOM_OAUTH2_SSO_TOKEN_URL=https://domain.auth.region.amazoncognito.com/oauth2/token
JIT user provisioning is turned on in retool admin area.
Cognito side:
callback - https://rtl.hostname.com/oauth2sso/callback
Flow - Authorization code grant
Scopes - openid, profile, email
Security groups allow communication between Cognito and retool. Also, on the same cluster I successfully configured grafana with cognito.
Could please someone give me a hand?
Thanks,
Ivan
P.S. I did thorough search on the internet and spent around 6 hours for debug before posting this.