mod_auth_openidc with AWS Cognito

[blackwhiser1]

Hi everyone,

I am trying to implement SSO with Openidc using AWS Cognito. My application uses apache, so I am using mod_auth_openidc.

Although, I am able to authenticate, when I get redirected after authentication, I get this error:
oidc_util_set_app_infos: unhandled in-array JSON object type [0] for key "identities" when parsing claims array elements

With this error, my application is not opening and I can't access it. I have use other systems like Auth0 or Keycloak and it works fine. I am just investigating other solutions such as AWS Cognito. I want to make sure this is not a misconfiguration, before I remove this from my list to try.

My configuration is as followed:
OIDCProviderIssuer https://cognito-idp.us-gov-west-1.amazonaws.com/XXXXXXXXXXXXXX
OIDCProviderAuthorizationEndpoint https://XXXXXXXXX.us-gov-west-1.amazoncognito.com/oauth2/authorize
OIDCProviderTokenEndpoint https://XXXXXXXX.us-gov-west-1.amazoncognito.com/oauth2/token
OIDCProviderTokenEndpointAuth client_secret_post
OIDCProviderUserInfoEndpoint https://XXXXXXXXXX.us-gov-west-1.amazoncognito.com/oauth2/userInfo
OIDCProviderJwksUri https://cognito-idp.us-gov-west-1.amazonaws.com/XXXXXXXXXX/.well-known/jwks.json

    OIDCClientID XXXXXXXXXX
    OIDCClientSecret XXXXXXXXXX
    OIDCCryptoPassphrase XXXXXXXXXX

    OIDCRedirectURI /XXXXXXXXXX/.openidc/redirect_uri
    OIDCRemoteUserClaim email
    OIDCPassUserInfoAs json
    OIDCScope "openid email"

The user entry in AWS Cognito:

Thank you for your help!

[zandbelt]

the message is a warning, there must be something else holding up your authentication flow

[blackwhiser1]

Thank for your answer.

It has been a while I did not write here. But I would like to bring my question to a different area.

My understanding is that mod_auth_openidc uses this JSON. I would like to know if I could pass that JSON to the application. For example, I would like to know how could I read the content of the JSON and access the identities given by Cognito.

We are using Cognito as a broker, which means that our users may have access to different provider. Although when I want to sign out the user, I need to know which provider was used, so the logout can happen.

Thank you for your advice!