invalid_client with OpenID and Cognito

[Michenux]

Current Behavior

Hi,

I'm trying to configure OpenID login with AWS Cognito.

When i click on the OpenID button, i can login but then i'm redirected to the following url :
https://*******/static/oidc-callback.html?code=*****

The page is blank and the browser console shows an error : "invalid_client"

The invoked POST url is :
https://********.auth.eu-west-1.amazoncognito.com/oauth2/token
the form data contains the client_id, a code, the redirect uri, the code verifier and the grant_type: authorization_code

Steps to Reproduce

On the frontend :

API_BASE_URL is empty.
OIDC_CLIENT_ID: *****
OIDC_ISSUER: https://cognito-idp.eu-west-1.amazonaws.com/eu-west-******
OIDC_SCOPE: openid email profile

On the api:

ALPINE_OIDC_ENABLED: true
ALPINE_OIDC_CLIENT_ID: *****
ALPINE_OIDC_ISSUER: https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1_******
ALPINE_OIDC_USERNAME_CLAIM: preferred_username
ALPINE_OIDC_USER_PROVISIONING: true
ALPINE_OIDC_TEAMS_CLAIM: cognito:groups
ALPINE_OIDC_TEAM_SYNCHRONIZATION: false

Where i'm a little surprised is that there is no attribute to configure the client secret.

Expected Behavior

The login should work.

Dependency-Track Version

4.12.1

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

16

Browser

Google Chrome

Checklist

• I have read and understand the contributing guidelines
• I have checked the existing issues for whether this defect was already reported

[antoinbo]

Hey, there is no client_secret because Authorization Code flow with PKCE. Can you try creating an OIDC Client as a public app client or single page application?
Also, in case this solves the issue, I would be glad if you can contribute to the OIDC documentation by adding AWSCognito in openidconnect-configuration.md 🙂