This doesn't work with AWS Cognito

[JSpring3]

I could not get your example working AWS Cognito.
It will send me back a valid ID token and a valid access token in the response but the example application does nothing with the two tokens so it doesn't display the name or show that you are logged in.

Here is my AWS Cognito Config
cc: @guardrex

builder.Services.AddOidcAuthentication(options =>
{
    // Configure your authentication provider options here.
    // For more information, see https://aka.ms/blazor-standalone-auth

    options.ProviderOptions.Authority = "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_ydUErvZQJ/";
    options.ProviderOptions.ClientId = "2m50t6m94ec7pcnuk4179k15sf";
    options.ProviderOptions.ResponseType = "token";
    options.ProviderOptions.RedirectUri = "https://localhost:5001";
    options.ProviderOptions.DefaultScopes.Add("aws.cognito.signin.user.admin");
    options.ProviderOptions.DefaultScopes.Add("email");
    options.ProviderOptions.DefaultScopes.Add("openid");
    options.ProviderOptions.DefaultScopes.Add("phone");
    options.ProviderOptions.DefaultScopes.Add("profile");

});

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 55d96ce7-2ead-ebc2-973e-e319082937b0
• Version Independent ID: 44ee9a17-4e34-6463-66e8-f1eb212845a4
• Content: Secure an ASP.NET Core Blazor WebAssembly standalone app with the Authentication library
• Content Source: aspnetcore/security/blazor/webassembly/standalone-with-authentication-library.md
• Product: aspnet-core
• Technology: aspnetcore-security
• GitHub Login: @guardrex
• Microsoft Alias: riande

[blowdart]

If you capture the JWT and put it into a debugger like https://jwt.io/ does it have the claims you asked for?

[JSpring3]

If you capture the JWT and put it into a debugger like https://jwt.io/ does it have the claims you asked for?

It does but it doesn't display on the blazor page...that is the issue at hand.

[javiercn]

@JSpring3 thanks for contacting us.

At the very least your response type should be token id_token I would suggest that you set it to code if AWS Cognito supports code+PKCE.

• Do you see any error on the application console?
• Does the login process complete successfully?
• Have you tried getting the current user from the AuthenticationStateProvider after logging in?
• Have you tried to retrieve the access token with the IAccessTokenProvider.RequestToken()?

[JSpring3]

There are no console errors and no error codes in the network tab.
The login is "successful" and redirects to the callback page but beyond that, no.
The AuthorizeView context is an AuthenticationState.User and displays the "NotAuthorized" block
instead of the "Authorized" block. As I stated before, (now for the third time) I get a valid access and id token back which can be seen in the network tab of Chrome tools. Changing the response type to token id_token generates an error.

<AuthorizeView>
    <Authorized>
        Hello, @context.User.Identity.Name!
        <button class="nav-link btn btn-link" @onclick="BeginSignOut">Log out</button>
    </Authorized>
    <NotAuthorized>
        <a href="authentication/login">Log in</a>
    </NotAuthorized>
</AuthorizeView>

[javiercn]

The login is "successful" and redirects to the callback page but beyond that, no.

Do you mean login-callback or the return url, like /fetchData. Can you check the contents of the user claims principal? (As well as AuthenticationStateProvider.GetAuthenticationState() and IAccessTokenProvider.RequestAccessToken().TryGetAccessToken(out var token)))

It is impossible for us to test third-party providers, so providing us as much information as you can is the best way we can try and help you narrow down what's going on.

[ghost]

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment. If it is closed, feel free to comment when you are able to provide the additional information and we will re-investigate.

See our Issue Management Policies for more information.

[brettwinters]

Just in case anyone else finds this issue. I can confirm that AWS cognito works using code flow with Blazor (ironically unlike Azure AD/B2C which doesn't yet

options.ProviderOptions.Authority = "https://cognito-idp.us-east-2.amazonaws.com/xxxxxxxx/";
options.ProviderOptions.ClientId = "xxxxxxxxx";
options.ProviderOptions.ResponseType = "code";
"openid profile email".Split(' ').ToList().ForEach(scope => options.ProviderOptions.DefaultScopes.Add(scope));

[JSpring3]

Just in case anyone else finds this issue. I can confirm that AWS cognito works using code flow with Blazor (ironically unlike Azure AD/B2C which doesn't yet

options.ProviderOptions.Authority = "https://cognito-idp.us-east-2.amazonaws.com/xxxxxxxx/";
options.ProviderOptions.ClientId = "xxxxxxxxx";
options.ProviderOptions.ResponseType = "code";
"openid profile email".Split(' ').ToList().ForEach(scope => options.ProviderOptions.DefaultScopes.Add(scope));

I'm using the exact settings as you but the app doesn't display the user info even though the login was successful. What are you using for a callback url?

[brettwinters]

On Cognito's "App Client Settings" tab I'm using:

Callback URL(s) : https://localhost:xxx/authentication/login-callback
Sign out URL(s) : https://localhost:xxx/authentication/logout-callback

xxx = your ports

Oh, one thing I noticed is that refresh tokens aren't supported so make sure your scopes don't include "offline_access" otherwise you'll get a 400 from AWS.

When you say "user info" is not displayed? The access_token doesn't include any profile information by default (paste your access_token into jwt.io to check). I'm not an expert, but it seems that blazor is not fetching the id_token or user_info automatically even though "code" + "openid" should get the id_token I think. So I'm fetching these myself (separately) using the access_token and a separate http call