Amazon Cognito, custom OpenID provider, “Invalid login token” error

2 Views

I’m attempting to use Cognito with custom OpenID provider to get access to AWS services in my iOS app. As a custom OpenID provider I’m using our WP server with WP OAuth Server plugin. I created the identity provider from IAM Console with success (checked the thumbprint and it was correct). After that I created the identity pool with default roles and selected previously created provider in section “Authentication providers” -> OpenID tab. And now in iOS app I’m trying to get the identityId with such code: 

AWSCognitoCredentialsProvider *credentialsProvider =
    [[AWSCognitoCredentialsProvider alloc] initWithRegionType:AWSRegionUSEast1
                                               identityPoolId:poolId];
NSString *domain = @"my.dev.somename.com";
NSString *accessToken = <correct and actual oauth access token>;
credentialsProvider.logins = @{domain: accessToken};

AWSServiceConfiguration *configuration =
        [[AWSServiceConfiguration alloc] initWithRegion:AWSRegionUSEast1
                                    credentialsProvider:credentialsProvider];

    [AWSServiceManager defaultServiceManager].defaultServiceConfiguration = configuration;

[[credentialsProvider getIdentityId] continueWithBlock:^id(AWSTask *task) {
        if (task.error) {
            NSLog(@"Error: %@", task.error.localizedDescription);
        }
        else {
            NSLog(@"identityID: %@", task.result);
        }
        return nil;
    }];

And every time I have “GetId failed. … Invalid login token.” error (NotAuthorizedException).
At the same time the access token is valid and not expired because I can use it to communicate with the server. The audience used during provider creation and poolId used in the code are correct for sure.

Read More

I’m not sure if that may help but need to mention that our server supports login with Facebook so just for tests I’ve added Facebook as an authenticated provider to the identity pool and it worked: I was able to get identityId in that way.

Can anybody help with that?

Update:

The anwer from Scott is correct. The only problem here – there is no way to request OpenID token from the WP OAuth Server plugin (at least for version 3.1.5 I’m using). It seems that the plugin supports only 3-legged authorization flow and we have 2-legged here. So I ended up with my custom WP plugin that uses “Developer Authenticated Identities Authflow” (see docs) and custom developer authenticated provider (code example). Hope that’ll help somebody.

Post Views: 2

Related posts

1 comment

  1. Make sure that you’re using a grant type that returns a valid OpenID Connect Token (the WP OAuth Server looks like it supports different tokens/grant types). You can use jwt.io to decode the token issued by your backend. Validate the following about the token:

    1. The iss parameter must match the key used in the logins map ( e.g. login.provider.com ).
    2. The signature must be valid. The signature must be verifiable via an RSA public key.
    3. The fingerprint of the certificate hosting the public key matches what’s configured on your OpenId Connect Provider.
    4. If the azp parameter is present, check this value against listed client IDs in your OpenId Connect provider.
    5. If the azp parameter is not present, check the aud parameter against listed client IDs in your OpenId Connect provider.

Comments are closed.