-1

I don't understand why AWS Cognito require a client secret when configuring an external IdP (e.g. Azure AD).

AFAIK, AWS Cognito merely forwards federated identities to the external IdP for (OIDC) authorization code grant flows, which in turn results in access- and ID tokens issued to the app after successful authentication:

enter image description here

The client secret is only needed for AWS Cognito authenticating as a service towards e.g. the Azure AD app registration, but why is that needed?

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-oidc-flow.html

Shuzheng
  • 419
  • 1
  • 8
  • 15

1 Answers1

0

I can only speak for Azure AD, but any authentication in Azure AD has to be done in the context of an app registration so that it knows who is asking for the authentication, and most importantly that the user or administrator is consenting for that external service to authenticate against Azure AD and retrieve details about the user.

The authentication request will return information about the user to Cognito, depending on what is asked for this could just be a very simple token, or it could contain lots of information about the user and the organisation, Azure AD requires the user or company to consent to this sharing, and so this consent needs to be recorded against an app registration, and so Cognito needs to be able to authenticate as this app registration.

Sam Cogan
  • 38,736
  • 6
  • 78
  • 114
  • Thank you. I get your idea that Cognito is using the client secret to consent to the scopes being requested. But in this case, the user is actually redirected to Azure AD by Cognito, with a reply URL pointing to Cognito itself, for the authorization code grant flow (OAuth2). Hence from the user's perspective, the authentication flow is identical to any other application utilizing OIDC for authentication against Azure AD – Shuzheng Jul 20 '23 at 09:28
  • That doesn't really matter, the authentication is still happening against Azure AD, which requires an app and a scope for the credentials. This is true for any OIDC authentication, it is just the way AAD works. – Sam Cogan Jul 24 '23 at 07:56
  • Of course, but if you consider authorization code grant flow against Azure AD, there is no client secret. The user is authenticated by means of their credentials and is redirected back to the application with an code. In this case, the redirection goes to AWS Cognito (hosted UI) instead – Shuzheng Jul 24 '23 at 11:12