AWS Cognito: where is the metadata URL of Cognito User Pool?
I'm trying to use AWS Cognito as an authorizer for my REST API in AWS API Gateway.
It asks me to fill in the Issuer URL:
Digging through the AWS Cognito User Pool page, there is no such thing.
I found a related answer here: AWS: Cognito integration with a beta HTTP API in API Gateway? and I quote:
Issuer URL: Check the metadata URL of your Cognito User Pool
(construct the URL in this format :: https://cognito-idp.
[region].amazonaws.com/[userPoolId]/.well-known/openid-configuration
:: look for a claim named "issuer". Copy its Value and paste it here.
I can of course build the url as said above.
But still, where is the metadata URL of my Cognito User Pool????
Am I missing something really basic and being absolutely silly by asking this question?
Where is it??
This is driving me crazy.
The issuer URL of a Cognito User Pool has the following format:
https://cognito-idp.[region].amazonaws.com/[userPoolId]
As you stated correctly, you can get it from Cognito's well-known metadata endpoint, which is available at
https://cognito-idp.[region].amazonaws.com/[userPoolId]/.well-known/openid-configuration
This file is JSON-formatted and contains an issuer field, which contains the URL mentioned above. The whole file looks like this:
{
"authorization_endpoint":"https://cognito-idp.[region].amazonaws.com/[userPoolId]/authorize",
"id_token_signing_alg_values_supported":[
"RS256"
],
"issuer":"https://cognito-idp.[region].amazonaws.com/[userPoolId]",
"jwks_uri":"https://cognito-idp.[region].amazonaws.com/[userPoolId]/.well-known/jwks.json",
"response_types_supported":[
"code",
"token"
],
"scopes_supported":[
"openid",
"email",
"phone",
"profile"
],
"subject_types_supported":[
"public"
],
"token_endpoint":"https://cognito-idp.[region].amazonaws.com/[userPoolId]/token",
"token_endpoint_auth_methods_supported":[
"client_secret_basic",
"client_secret_post"
],
"userinfo_endpoint":"https://cognito-idp.[region].amazonaws.com/[userPoolId]/userInfo"
}
- AWS Cloudwatch agent config file removed after startup
- AWS lambda SQS does not allow to process 1 message per 1 invocation
- How can I create a TLS/SSL connection to a mongodb instance on AWS with a certificate made by certificate manager? Health check failed
- Cloudfront redirect when signed cookies not present
- AWS Lambda and DynamoDB - updatetItem is not a function
- AWS ElasticBeanstalk EC2 Termination Protection
- Allowing AWS Cognito Users to authentication to JIRA via SAML/SSO (Domain Not found)
- Install pgAgent on AWS RDS for Postgres
- Row was updated or deleted by another transaction (or unsaved-value mapping was incorrect)
- List all parameters in AWS SSM Parameter Store
- AWS push_down_predicate not working with DynamoDb
- localstack AWS S3 javascript error : getaddrinfo ENOTFOUND bucketname.localhost
- AWS ECS agent won't start
- AWS VPC (Virtual Private Cloud), rapidly increasing expenses
- SemaphoreCI OIDC AWS connection
- Can't delete AWS internet Gateway
- How to provide multiple StringNotEquals conditions in AWS policy?
- Not able to get ECS fargate metrics on Datadog
- 502 "Internal Server Error" with API Gateway + Lambda when deploying
- Java Springboot application not able to connect to AWS Elasticache Valkey Cache (Serverless)
- Splitting PDF with PyPDF2 in Lambda function
- "libdbus-glib-1.so.2: cannot open shared object file: No such file or directory"
- Partial credentials found in env, missing: AWS_SECRET_ACCESS_KEY
- Best way to store Firebase admin private key file for AWS lambda
- AWS Elastic Beanstalk and Secret Manager
- Unable to upload data using sagemaker_session.upload_data in s3 bucket that I created, it is getting stored in default s3 bucket
- Parse Aws IoT message in python
- How to temporarily switch profiles for AWS CLI?
- Python Sqlalchemy insert data into AWS Redshift
- Using AWS Bedrock Prompt Management with InvokeCommand