javaamazon-web-servicesspring-bootoauth-2.0amazon-cognito

SpringBoot + AWS cognito, can't resolve issuerUri


I wanted to create a sample Spring Boot application using AWS cognito for authorization. I was following several tutorials but always ended with the same error.

When I run the application, I get:

org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.WebSecurityConfiguration': Unsatisfied dependency expressed through field 'httpSecurity': Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.HttpSecurityConfiguration': Unsatisfied dependency expressed through method 'setContentNegotiationStrategy' parameter 0: Error creating bean with name 'org.springframework.boot.autoconfigure.web.servlet.WebMvcAutoConfiguration$EnableWebMvcConfiguration': Unsatisfied dependency expressed through method 'setConfigurers' parameter 0: Error creating bean with name 'org.springframework.security.config.annotation.web.configuration.OAuth2ClientConfiguration$OAuth2ClientWebMvcSecurityConfiguration': Unsatisfied dependency expressed through method 'setAuthorizedClientManager' parameter 0: Error creating bean with name 'OAuth2AuthorizedClientManager': Failed to instantiate [org.springframework.security.oauth2.client.OAuth2AuthorizedClientManager]: Factory method 'getAuthorizedClientManager' threw exception with message: Error creating bean with name 'clientRegistrationRepository' defined in class path resource [org/springframework/boot/autoconfigure/security/oauth2/client/servlet/OAuth2ClientRegistrationRepositoryConfiguration.class]:Failed to instantiate [org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository]: Factory method 'clientRegistrationRepository' threw exception with message: Unable to resolve Configuration with the provided Issuer of "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_9EmaXexYM/.well-known/openid-configuration"

This seems to me weird because when I access directly in the browser the URL https://cognito-idp.us-east-1.amazonaws.com/us-east-1_9EmaXexYM/.well-known/openid-configuration , I get a response with all the information. What could be the problem?

My application.yml:

spring:
  security:
    oauth2:
      client:
        registration:
          cognito:
            clientName: SpringBootApp
            client-secret: 11iflp3rhfuj9veomalbsvoi5url4vhu3r39in5l1jo0btsac48s
            redirect-uri: 'http://localhost:8080/login/oauth2/code/cognito'
            client-id: 3ai0tn07c5smcn00d963670rsf
            scope: openid
            authorization-grant-type: authorization_code
        provider:
          cognito:
            issuerUri: https://cognito-idp.us-east-1.amazonaws.com/us-east-1_9EmaXexYM/.well-known/openid-configuration

Solution

  • In Spring configuration, the issuer-uri is to be set with the Issuer Identifier, not with the OIDC discovery URI.

    As a reminder:

    According to the OIDC discovery URI you provide and to the configuration it exposes, your Issuer Identifier is https://cognito-idp.us-east-1.amazonaws.com/us-east-1_9EmaXexYM.

    So, remove that /.well-known/openid-configuration suffix from the issuer-uri value in your conf.