I am trying to connect AWS Cognito with an OpenID Connect Provider provided by ADFS. I am using the scopes email openid profile
In Cognito I have set up the connection and authorization ist working. I can do a log-in and gets redirected to my callback URI. But the application called at this adress says that there is the email attribute missing
ErrorResponse: attributes required: [email]
What do I need to configure in Cognito to resolve this? Do I have to do some custom attribute mapping? Is there any way to debug this?
You need to configure attribute mapping for the OIDC provider. See step 3 of my blog post for how this looks.
My example setup uses Okta as the OIDC provider.The post also has some further info on the HTTP messages used and potential issues with matching up users.