Long-term solution for identity provider

[julfers]

An email from Auth0:

To prevent your integration between AWS Cognito and Auth0 from suffering any impact during the maintenance window, you need to take one of the following actions:

1. Shift to the AWS SAML Connector to integrate with Auth0 instead of OIDC. This is preferred as SAML does not require certificate pinning.
2. Shift to a Custom Domain with Self-Managed Certificates if you require certificate pinning. This feature is only available for Enterprise customers.
3. (Short-term workaround) Add the following certificate thumbprint as a trusted certificate in your AWS Cognito configuration prior to the maintenance window mentioned above.

B3DD7606D2B5A8B4A13771DBECC9EE1CECAFA38A

...

Due to limitations in the AWS OIDC provider, the root certificate thumbprint of our new network edge provider does not work. Because of this, the provided thumbprint is for an intermediate certificate and is expected to expire on December 31st, 2024. This intermediate certificate may be rotated by our network edge provider earlier without warning.

For now, I added the "short-term workaround" thumbprint to our Amazon OpenId Connect identity provider. If we want to use saml instead, we'll need to update https://github.com/NLTGit/pagaf/wiki/Auth0-and-Amazon-setup.