Why does AWS Cognito require a client secret when configuring an external IdP (Azure AD)?

Shuzheng

7/15/24, 11:16 AM

I don't understand why AWS Cognito require a client secret when configuring an external IdP (e.g. Azure AD).

AFAIK, AWS Cognito merely forwards federated identities to the external IdP for (OIDC) authorization code grant flows, which in turn results in access- and ID tokens issued to the app after successful authentication:

The client secret is only needed for AWS Cognito authenticating as a service towards e.g. the Azure AD app registration, but why is that needed?

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-oidc-flow.html

1 + 0

security

single-sign-on

azure

amazon-web-services

oidc

Score:0

Server

Sam Cogan

7/19/24, 7:25 AM

I can only speak for Azure AD, but any authentication in Azure AD has to be done in the context of an app registration so that it knows who is asking for the authentication, and most importantly that the user or administrator is consenting for that external service to authenticate against Azure AD and retrieve details about the user.

The authentication request will return information about the user to Cognito, depending on what is asked for this could just be a very simple token, or it could contain lots of information about the user and the organisation, Azure AD requires the user or company to consent to this sharing, and so this consent needs to be recorded against an app registration, and so Cognito needs to be able to authenticate as this app registration.

+ 3

Shuzheng

7/20/24, 9:28 AM

Thank you. I get your idea that Cognito is using the client secret to consent to the scopes being requested. But in this case, the user is actually redirected to Azure AD by Cognito, with a reply URL pointing to Cognito itself, for the authorization code grant flow (OAuth2). Hence from the user's perspective, the authentication flow is identical to any other application utilizing OIDC for authentication against Azure AD

Sam Cogan

7/24/24, 7:56 AM

That doesn't really matter, the authentication is still happening against Azure AD, which requires an app and a scope for the credentials. This is true for any OIDC authentication, it is just the way AAD works.

Shuzheng

7/24/24, 11:12 AM

Of course, but if you consider authorization code grant flow against Azure AD, there is no client secret. The user is authenticated by means of their credentials and is redirected back to the application with an code. In this case, the redirection goes to AWS Cognito (hosted UI) instead

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Why does AWS Cognito require a client secret when configuring an external IdP (Azure AD)?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.