Skip to content

OIDC Client Testing

Jump to bottom
MCatherine edited this page Aug 22, 2024 · 3 revisions

Purpose

Figuring out how to use an OIDC client is tricky. It's useful to have a manual process to sanity-check that your configuration is working before (or while) coding an application to integrate with Cognito.

Steps to test an OIDC Client

Getting the Authorization Code

  1. Use the OIDC Debugger app
  2. In the flow, select "Authorization Code"
  3. In "Configuration Parameters", for "Authorization Url" select "https://fam-user-pool-mature-mole-domain.auth.ca-central-1.amazoncognito.com/authorize" (replace "fam-user-pool-mature-mole-domain" with the Cognito Domain of your user pool, if necessary).
  4. In "Configuration Parameters", for "Token Url" use the same URL as the "Authorization Endpoint" but switch "/authorize" to "/token" (example: https://fam-user-pool-mature-mole-domain.auth.ca-central-1.amazoncognito.com/token).
  5. In "Request Authorization Code", for "Client ID" enter the client ID of your OIDC client in Cognito.
  6. In "Request Authorization Code", for "Redirect URL" enter the OIDC debugger URL ("https://sso-playground.apps.gold.devops.gov.bc.ca/"). It should be there by default.
  7. In "Request Authorization Code", for "Scope" you can put "openid email profile". By default "openid" is there.
  8. Click "Login". This will initiate a login flow and eventually redirect you back to the OIDC debugger.
  9. The id token and access token will be available from the dropdown. It also has the decoded version and raw version.
Screen Shot 2024-08-22 at 4 53 23 PM Screen Shot 2024-08-22 at 4 55 17 PM

Inspecting the tokens

  1. To inspect the access token, copy the text in the "access_token" window over to the auth0 JWT debugger tool.
  2. Don't inspect the refresh token. It's not meant to be human readable.
  3. To inspect the ID token, you have to get it from the developer tools in your browser. In Chrome, under "Network" the last request will be "token" and the response will be JSON that includes the encoded ID token. You can copy that text and put it into the auth0 JWT debugger tool.

Troubleshooting

  • Your OIDC client is configured in Cognito. In order to use OIDC Debugger the URL of the debugger must be configured as a valid redirect for your OIDC client. That's OK in a DEV environment, but don't leave your client in that configuration in production.
  • If you are redirecting back to an API or another public URL (i.e. something other than OIDC Debugger), that URL must be configured in Cognito as one of your valid redirect URLs.

FDS Access Management (FAM)

User Guide

Operations Guide

Team Heartwood Notes

Developers

Clone this wiki locally