I've done the below:
I've created a new user pool with 1 app client.
I've set the callback URL of my app client to https://my-domain/oauth2/idpresponse
I've added Okta as a SAML identity provider for Cognito
When I navigate to https://my-domain/my-app, I'm correctly redirected to the Cognito login page. After successful authentication through the Cognito login page, I'm redirected to my application home page.
However, despite response_type=code being set in the Cognito URL indicating that an auth code should be appended to my URL upon successful login, this isn't happening.
The page https://my-domain/oauth2/idpresponse?code=code-I-need is accessed but then bypassed, leading directly to my application page without the auth code appended.
I attempted to change the callback URL to https://my-domain/my-app for my app client, but this resulted in a redirect_mismatch error in Cognito. It appears that oauth2/idpresponse must be included in the callback.
I manually modified the Cognito URL redirect_uri variable to redirect_uri=https://my-domain/my-app, which worked. I landed on my app page with the URL https://my-domain/my-app?code=code-I-need.
However, I've had to keep both callback URLs in my app client:
https://my-domain/oauth2/idpresponsehttps://my-domain/my-app.How can I set https://my-domain/my-app as the default redirect_uri variable in the Cognito URL without having to manually change it?
TLDR: ensure you generate a new URL for logging in via the View Hosted UI button after making changes to the callback URL(s) for your app client
I attempted to change the callback URL to
https://my-domain/my-appfor my app client, but this resulted in aredirect_mismatcherror in Cognito. It appears thatoauth2/idpresponsemust be included in the callback.
There are no requirements for you to have oauth2/idpresponse in your app client's allowed callback URLs. As the docs mention, the oauth2/idpresponse and saml/idpresponse are endpoints that Cognito uses for handling the responses from OpenID Connect (OIDC) and SAML identity providers (IdPs). They're there to manage the relationship between Cognito & the IdP and have nothing to do with your app client - feel free to remove that callback URL as it's not needed.
The redirect_uri mismatch error indicates that the callback URL that was provided to the /oauth2/authorize Cognito endpoint, in the form of the redirect_uri query parameter, didn't match a callback URL allowed in the app client config.
When using the Cognito hosted UI via the View Hosted UI button, the URL is auto generated for you. This URL contains the redirect URL, set to the first (or only) allowed callback URL. When you change the allowed callback URLs (or any other value that is in the login endpoint URL e.g. scopes), you can't just use the old URL and need to re-click the button to generate a new URL.
You're most likely still using the old URL with the redirect_uri set to the no-longer-allowed https://my-domain/oauth2/idpresponse value and not the new https://my-domain/my-app URL.
Make sure that after making changes to the allowed callback URL, you're not just refreshing the old login URL & generate a new URL using the View Hosted UI button.