AWS Cognito
Feature/OIDC support
✅ PKCE
✅ Nonce
✅ State
❌ Access Token validation
❌ ID Token validation
AWS Congito doesn't correctly implement the OAuth 2 standard and doesn't provide a aud
field for the audience. Therefore it is not possible to verify the access or id token.
Introduction
For AWS Cognito you have to provide at least the baseUrl
, clientId
, clientSecret
and logoutRedirectUri
properties. The baseUrl
is used to dynamically create the authorizationUrl
, tokenUrl
, logoutUrl
and userInfoUrl
.
The only supported OAuth grant type is Authorization code grant
.
The final url should look something like this https://cognito-idp.eu-north-1.amazonaws.com/eu-north-1_SOMEID/.well-known/openid-configuration
.
You will also encounter an error, if you have not correctly registered the redirectUri
under "Allowed callback URLs" or the logoutRedirectUri
under "Allowed sign-out URLs".
If you need additional scopes, specify them in the scope
property in you nuxt config like scope: ['openid', 'email', 'profile'],
.
Example Configuration
cognito: {
clientId: '',
redirectUri: 'http://localhost:3000/auth/cognito/callback',
clientSecret: '',
scope: ['openid', 'email', 'profile'],
logoutRedirectUri: 'https://google.com',
baseUrl: '',
exposeIdToken: true, // This is necessary to validate the logout redirect. If you don't need the ID token and don't use a logout redirect, set this to false.
},
Environment variables
Dotenv files are only for (local) development. Use a proper configuration management or injection system in production.
NUXT_OIDC_PROVIDERS_COGNITO_CLIENT_ID=CLIENT_ID
NUXT_OIDC_PROVIDERS_COGNITO_CLIENT_SECRET=CLIENT_SECRET
NUXT_OIDC_PROVIDERS_COGNITO_BASE_URL=https://YOURAPP.auth.eu-north-1.amazoncognito.com