Using Ory as an OIDC provider for AWS Cognito

[adriantomas]

I am trying to use Ory Network as an OIDC provider for AWS Cognito.

I have managed to configure the OAuth2 client in Ory Network and link it from AWS Cognito. The login process goes smoothly but when returning the response to Cognito, I get the following error:

error_description=attributes+required%3A+%5Bgiven_name%2C+family_name%5D&error=invalid_request.

The error indicates that certain attributes required for the user profile in Cognito could not be returned by the OIDC Connect.

My identity schema is as follows:

{
  "$id": "https://schemas.ory.sh/presets/kratos/identity.email.schema.json",
  "title": "Person",
  "type": "object",
  "properties": {
    "traits": {
      "type": "object",
      "properties": {
        "email": {
          "type": "string",
          "format": "email",
          "title": "E-Mail",
          "ory.sh/kratos": {
            "credentials": {
              "password": {
                "identifier": true
              },
              "webauthn": {
                "identifier": true
              },
              "totp": {
                "account_name": true
              }
            },
            "recovery": {
              "via": "email"
            },
            "verification": {
              "via": "email"
            }
          },
          "maxLength": 320
        },
        "name": {
          "type": "string",
          "title": "First name",
          "maxLength": 256
        },
        "family_name": {
          "type": "string",
          "title": "Last name",
          "maxLength": 256
        }
      },
      "required": [
        "email",
        "name",
        "family_name"
      ],
      "additionalProperties": false
    }
  }
}

My attribute mapping from Cognito is as follows:

The configuration returned by /.well-known/openid-configuration is as follows:

{
  "issuer": "https://foo.projects.oryapis.com",
  "authorization_endpoint": "https://foo.projects.oryapis.com/oauth2/auth",
  "token_endpoint": "https://foo.projects.oryapis.com/oauth2/token",
  "jwks_uri": "https://foo.projects.oryapis.com/.well-known/jwks.json",
  "subject_types_supported": [
    "public"
  ],
  "response_types_supported": [
    "code",
    "code id_token",
    "id_token",
    "token id_token",
    "token",
    "token id_token code"
  ],
  "claims_supported": [
    "sub",
    "name",
    "family_name"
  ],
  "grant_types_supported": [
    "authorization_code",
    "implicit",
    "client_credentials",
    "refresh_token"
  ],
  "response_modes_supported": [
    "query",
    "fragment"
  ],
  "userinfo_endpoint": "https://foo.projects.oryapis.com/userinfo",
  "scopes_supported": [
    "offline_access",
    "offline",
    "openid",
    "profile",
    "email"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "client_secret_basic",
    "private_key_jwt",
    "none"
  ],
  "userinfo_signing_alg_values_supported": [
    "none",
    "RS256"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "id_token_signed_response_alg": [
    "RS256"
  ],
  "userinfo_signed_response_alg": [
    "RS256"
  ],
  "request_parameter_supported": true,
  "request_uri_parameter_supported": true,
  "require_request_uri_registration": true,
  "claims_parameter_supported": false,
  "revocation_endpoint": "https://foo.projects.oryapis.com/oauth2/revoke",
  "backchannel_logout_supported": true,
  "backchannel_logout_session_supported": true,
  "frontchannel_logout_supported": true,
  "frontchannel_logout_session_supported": true,
  "end_session_endpoint": "https://foo.projects.oryapis.com/oauth2/sessions/logout",
  "request_object_signing_alg_values_supported": [
    "none",
    "RS256",
    "ES256"
  ],
  "code_challenge_methods_supported": [
    "plain",
    "S256"
  ]
}

My Ory OAuth2 client configuration is as follows:

{
  "allowed_cors_origins": [],
  "client_id": "foo",
  "client_name": "foo",
  "client_secret_expires_at": 0,
  "client_uri": "",
  "created_at": "2023-06-13T12:51:26Z",
  "grant_types": [
    "authorization_code"
  ],
  "jwks": {},
  "logo_uri": "",
  "metadata": {},
  "owner": "",
  "policy_uri": "",
  "redirect_uris": [
    "https://acme-cognito-domain/oauth2/idpresponse"
  ],
  "response_types": [
    "code"
  ],
  "scope": "openid profile",
  "subject_type": "public",
  "token_endpoint_auth_method": "client_secret_post",
  "tos_uri": "",
  "updated_at": "2023-06-14T08:19:27.898614Z",
  "userinfo_signed_response_alg": "none"
}

I wonder what I am doing wrong to not get the Ory user attributes returned as claims to Cognito.

[kmherrmann]

Thanks for the report. We've added support for OIDC Profile scopes via Account Experience, which is on the way to production and slated to roll out next week!