Integrating Microsoft(both personal and work Azure AD) OIDC to AWS Cognito

prasadn 6 Reputation points
2021-05-11T10:28:31.013+00:00

Hi,

I was trying to integrate MSF OIDC to AWS cognito userpool. Created new app registration in Azure AD with "signInAudience": "AzureADandPersonalMicrosoftAccount" and set "issuer": "https://login.microsoftonline.com/common/v2.0" in cognito federation and other settings. When I try to login with work or personal MSF account it's throwing "invalid_request" error with description "Bad id_token issuer". If, I replace the tenant_id "common" in issuer with specific tenant_id(9188040d-6c67-4c5b-b112-36a304b66dad for example-personal MSF) then the flow is working as expected by sending the authorization code back. Any help would be appreciated!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,308 questions
0 comments No comments
{count} vote

1 answer

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,556 Reputation points
    2021-05-17T14:48:08.573+00:00

    Hi @prasadn · Thank you for reaching out.

    This is expected behavior. The /common endpoint, is used for tenant discovery, which means when you go to /common endpoint and type username@ssss .com in the username field, you will be redirected to the tenant on the basis of your UPN suffix. In this case, you will be redirected to the tenant where example.com is added as custom domain. Eventually the token will be issued by the example.com tenant and the issuer claim in the token will look like "https://login.microsoftonline.com/tenant_id_of_example.com/v2.0"

    Token issuer value can NOT be "https://login.microsoftonline.com/common/v2.0" in any case.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.