Can I reconfigure iss claim in jwt of ad-b2c to be appropriate for the identity pool of the AWS cognito ?

Question

I want to integrate from Azure AD B2C to AWS Cognito ID Pool with OIDC.

but I have a problem.

The iss claim does not match on both sides.

1) Cognito id pool

https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/open-id.html

The iss claim must match the key used in the logins map (such as login.provider.com <= tenantid.b2clogin.com).

2) azure ad b2c

https://learn.microsoft.com/en-us/azure/active-directory-b2c/jwt-issuer-technical-profile

the iss claim pattern is

https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/v2.0/
or
https://login.microsoftonline.com/tfp/00000000-0000-0000-0000-000000000000/b2c_1a_tp_sign-up-or-sign-in/v2.0/

the iss claim that is return from ad b2c

idTokenClaims {
iss: "https://{tenantid}.b2clogin.com/00000000-0000-0000-0000-000000000000/v2.0/"
}

I try it by msal-react and AWS SDK for JavaScript v3.

https://www.npmjs.com/package/@azure/msal-react
https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/index.html

   const creds = new fromCognitoIdentityPool({  
               clientConfig: { region: REGION },  
               identityPoolId: 'ap-northeast-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',  
               logins: {  
                      'tenantid.b2clogin.com': payload.idToken  
               }  
   });  

   const s3Client = new S3Client({ region: REGION, credentials: creds });  
             // const s3Client = new S3Client({ region: REGION });  
             const data = s3Client  
               .send(new ListBucketsCommand({}))  
               .then((a) => {  
                 console.log('ok', a);  
               })  
               .catch((e) => {  
                 console.log('err', e);  
               });  

I tried this code. error raised.

'NotAuthorizedException: Invalid login token. Issuer doesn't match providerName'

What shoud I do ?

Answer 1

The logins value corresponds to the issuance url, in OpenID connect standard it is allowed to be a url with path components. So either of those patterns should be valid. So make sure you use one of these patterns when you're defining your provider. Ref: https://docs.aws.amazon.com/cli/latest/reference/iam/create-open-id-connect-provider.html#options

It states:

The URL of the identity provider. The URL must begin with https:// and should correspond to the iss claim in the provider's OpenID Connect ID tokens. Per the OIDC standard, path components are allowed but query parameters are not. Typically the URL consists of only a hostname, like https://server.example.org or https://example.com . The URL should not contain a port number.

You cannot register the same provider multiple times in a single Amazon Web Services account. If you try to submit a URL that has already been used for an OpenID Connect provider in the Amazon Web Services account, you will get an error.

Then you can try setting the logins value in your code to one of these patterns. Which should now be accepted because it matches the provider name. For example:

const creds = new fromCognitoIdentityPool({
            clientConfig: { region: REGION },
            identityPoolId: 'ap-northeast-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
            logins: {
                   'https://login.microsoftonline.com/00000000-0000-0000-0000-000000000000/v2.0/': payload.idToken
            }
});