I've done the below:
I've created a new user pool with 1 app client.
I've set the callback URL of my app client to https://my-domain/oauth2/idpresponse
I've added Okta as a SAML identity provider for Cognito
When I navigate to https://my-domain/my-app
, I'm correctly redirected to the Cognito login page. After successful authentication through the Cognito login page, I'm redirected to my application home page.
However, despite response_type=code
being set in the Cognito URL indicating that an auth code should be appended to my URL upon successful login, this isn't happening.
The page https://my-domain/oauth2/idpresponse?code=code-I-need
is accessed but then bypassed, leading directly to my application page without the auth code appended.
I attempted to change the callback URL to https://my-domain/my-app
for my app client, but this resulted in a redirect_mismatch
error in Cognito. It appears that oauth2/idpresponse
must be included in the callback.
I manually modified the Cognito URL redirect_uri variable to redirect_uri=https://my-domain/my-app
, which worked. I landed on my app page with the URL https://my-domain/my-app?code=code-I-need
.
However, I've had to keep both callback URLs in my app client:
https://my-domain/oauth2/idpresponse
https://my-domain/my-app
.How can I set https://my-domain/my-app
as the default redirect_uri
variable in the Cognito URL without having to manually change it?
TLDR: ensure you generate a new URL for logging in via the View Hosted UI button after making changes to the callback URL(s) for your app client
I attempted to change the callback URL to
https://my-domain/my-app
for my app client, but this resulted in aredirect_mismatch
error in Cognito. It appears thatoauth2/idpresponse
must be included in the callback.
There are no requirements for you to have oauth2/idpresponse
in your app client's allowed callback URLs. As the docs mention, the oauth2/idpresponse
and saml/idpresponse
are endpoints that Cognito uses for handling the responses from OpenID Connect (OIDC) and SAML identity providers (IdPs). They're there to manage the relationship between Cognito & the IdP and have nothing to do with your app client - feel free to remove that callback URL as it's not needed.
The redirect_uri
mismatch error indicates that the callback URL that was provided to the /oauth2/authorize
Cognito endpoint, in the form of the redirect_uri
query parameter, didn't match a callback URL allowed in the app client config.
When using the Cognito hosted UI via the View Hosted UI button, the URL is auto generated for you. This URL contains the redirect URL, set to the first (or only) allowed callback URL. When you change the allowed callback URLs (or any other value that is in the login endpoint URL e.g. scopes), you can't just use the old URL and need to re-click the button to generate a new URL.
You're most likely still using the old URL with the redirect_uri
set to the no-longer-allowed https://my-domain/oauth2/idpresponse
value and not the new https://my-domain/my-app
URL.
Make sure that after making changes to the allowed callback URL, you're not just refreshing the old login URL & generate a new URL using the View Hosted UI button.