AWS Cognito with ADFS: Issuer doesn't match providerName

0
votes

I'm attempting to set AWS.config.credentials in a server-less lambda (running in a REST endpoint). The login is from a Cognito User Pool which uses ADFS as a Federated Identity. I also have a Cognito Identlty Pool in the mix.

My lambda handler has event, context, and callback parameters like this:


    exports.handler = (event, context, callback) {
       ...
    }

The event.headers.Authorization has a valid JWT (from the id_token) which was placed in the Authorization header when the POST call on the HTML client to the REST endpoint was executed. I validated the JWT myself here: https://jwt.io. In addition, the context.authorizer object also looks to be valid indicating that I am logged in, it has my email and username information and valid issuance and expiry dates. In short, I'm pretty sure I've got a valid login.

But when I try to execute the following commands I get an error that says "NotAuthorizedException: Invalid login token. Issuer doesn't match providerName"


    AWS.config.credentials = new AWS.CognitoIdentityCredentials({
        IdentityPoolId: 'us-east-1:my-identity-pool-id',
        Logins: {
          "cognito-idp:us-east-1.amazonaws.com/us-east-1_myUserPoolId": event.headers.Authorization
        }
     });
     AWS.config.credentials.get(err => {
        if (!err) {
          var id = AWS.config.credentials.identityId;
          console.log('Cognito Identity ID '+ id);
        } else {
          console.log('cred error: ', err);
        }
     });

of course, my-identity-pool-id and myUserPoolId are replaced with their actual values. I've seen many other posts on this topic indicating incorrectly formulated Logins objects produce this error, but I've been over that several times in this code - and had others look it over for me as well. I don't think I got that part wrong. In so far as the error text is concerned, well it is actually correct. If I look at my decoded JWT, the issuer and the providerName are different:


    {
      "at_hash": "pciSj0Hcjk1Pp9noJIj4GQ",
      "sub": "e41500b1-d987-49be-81c0-8fbc36a59ce1",
      "email_verified": false,
      "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxx",
      "cognito:username": "ge2cadmin2-saml-idp_ravi",
      "cognito:roles": [
        "MyFancyRole"
      ],
      "aud": "7r7v0ren5fm3m6vmjgj6nasr79",
      "identities": [
        {
          "userId": "ravi",
          "providerName": "ge2cadmin2-saml-idp",
          "providerType": "SAML",
          "issuer": "http://adfs.careevolution.com/adfs/services/trust",
          "primary": "true",
          "dateCreated": "1590770196859"
        }
      ],
      "token_use": "id",
      "auth_time": 1591118267,
      "exp": 1591126227,
      "iat": 1591122627,
      "email": "[email protected]"
    }

As you can see, in the identities[] section, the issuer is http://adfs.careevolution.com/adfs/services/trust and the providerName is ge2cadmin2-saml-idp. But I think in this scenario, that is to be expected. However, if the problem is indeed this difference (and not some misconfiguration elsewhere) how can I setup things so AWS.CognitoIdentityCredentials is OK with the issuer being different from the providerName?

1
aws-lambdaamazon-cognito

1 Answers

0
votes

The answer turns out to be simple. The magic string: "cognito-idp:us-east-1.amazonaws.com/us-east-1_myUserPoolId" was incorrect. Instead I should have used: "cognito-idp.us-east-1.amazonaws.com/us-east-1_myUserPoolId" (with a dot after cognito-idp instead of a colon). While the error message is terrible and misleading, the error turned out to be simple user error.

I posted this here in order to help anyone who comes by with a search for that same misleading error message.