amazon-cognitoaws-amplifyoktafederated-identitypkce

Passing code challenge to Cognito Federated Identiy via Amplify [Okta]


I Integrated Cognito Userpool with Federated Identity [Okta - As Secure Web Authentication]. The flows works fine with Authorization Code Flow without PKCE (Using Amplify with Angular).

Created a similar app as SPA(in Okta), to enable PKCE and integrated with Cognito federated identities. When we redirect to Hosted UI, the challenge is getting passed to hosted UI in the URL.

Cognito Hosted UI URL Challenge

But after it redirects to okta, it is throwing this error.

pkce code challenge is required when the token endpoint authentication method is 'none'

Is there any additional configuration required in Cognito to pass code-challenge to Okta.

I am using Authorization Code flow in Cognito and Okta.

Attaching the configuration in Okta. Okta Configuration for Login Redirect

Attaching the configuration in Cognito Cognito Configuration


Solution

  • There was a mistake in my understanding. Communication between Cognito & Okta is service to service call, which should have been performed as Client Credential Grand Flow. There we don't enable PKCE in Okta.

    PKCE is enabled for Client (Web or Mobile App) to Service Authentication.

    When we create App Client without client secrete, Amplify enables PKCE in frontend.