Retool and AWS Cognito as OIDC

Hello people!

We are trying to setup AWS Cognito as an OPenID provider to use our user pool as a single source of truth across our infra.

Using this doc I was able to get “Sign in with SSO” option and redirected properly to SSO page.

Now I’ve tried few option:

  1. Newly created user, which have to change password - password is accepted, the next step is to change password - after changing the password I’ve got the error “An error occured” ( I believe this one from Cognito side)
  2. Existing user, after auth with SSO get this error in browser:
    and in logs:
 Error: {"statusCode":400,"data":"{\"error\":\"invalid_client\"}"}                                                                                                                                                                          
     at /snapshot/backend/transpiled/common/oauth.js                                                                                                                                                                                        
    at /snapshot/backend/node_modules/oauth/lib/oauth2.js:191:18                                                                                                                                                                           
     at passBackControl (/snapshot/backend/node_modules/oauth/lib/oauth2.js:132:9)                                                                                                                                                         
     at IncomingMessage.<anonymous> (/snapshot/backend/node_modules/oauth/lib/oauth2.js:157:7)                                                                                                                                              
     at IncomingMessage.emit (events.js:327:22)                                                                                                                                                                                             
     at IncomingMessage.EventEmitter.emit (domain.js:482:12)                                                                                                                                                                                
     at endReadableNT (_stream_readable.js:1221:12)                                                                                                                                                                                         
     at processTicksAndRejections (internal/process/task_queues.js:84:21)                                                                                                                                                                   

and after that attempt I am not able to get to SSO login page - this error showed in browser(until cookies are cleared or private window is used):

Our retool resides in EKS k8s cluster, env:

CUSTOM_OAUTH2_SSO_SCOPES=openid profile email

JIT user provisioning is turned on in retool admin area.

Cognito side:
callback -
Flow - Authorization code grant
Scopes - openid, profile, email

Security groups allow communication between Cognito and retool. Also, on the same cluster I successfully configured grafana with cognito.

Could please someone give me a hand?


P.S. I did thorough search on the internet and spent around 6 hours for debug before posting this.