I’ve spent the last couple days trying to set up Cognito to use Battle net OIDC. I believe I am most of the way there. I can see using the cognito hosted UI that it authenticates correctly but then fails, presumably trying to retrieve the token.
The first request to cognito hosted UI: https://<removed>.auth.us-west-2.amazoncognito.com/oauth2/authorize?identity_provider=Blizzard&redirect_uri=https://<my-site-oauth-handler-removed>/oauth&response_type=CODE&client_id=<removed>&scope=openid
Then the next request is to Battle net OIDC as expected: https://us.battle.net/oauth/authorize?client_id=<removed>&redirect_uri=https%3A%2F%2F<removed>.auth.us-west-2.amazoncognito.com%2Foauth2%2Fidpresponse&scope=openid&response_type=code&state=<removed>
Then the code is passed onto the cognito idpresponse: https://<removed>.auth.us-west-2.amazoncognito.com/oauth2/idpresponse?code=<removed>&state=<removed>
At this point, if my understanding is correct cognito should try to hit the battle net /oath/token
endpoint and then return the id_token and access_token to my redirect_url. It is at the point cognito instead returns an error to my url: https://<my-site-oauth-handler-removed>/oauth?error_description=Bad+id_token+issuer+oauth.battle.net&error=invalid_request
I may be one of a handful trying to use the battle net OIDC with Cognito.
My best guess right now is that I haven’t configured Cognito correctly to make the token POST request. It needs to use Basic Authentication with the clientid:password but I can’t verify if it’s doing that correctly or not since its abstracted away.
Anyway, when I make the request through my app (using amplify to open the hosted UI) it does return but with the following:
[ERROR] 51:05.25 OAuth - Error handling auth response. Error: Bad+id_token+issuer+oauth.battle.net
at OAuth.<anonymous> (OAuth.js:202)
at step (OAuth.js:52)
at Object.next (OAuth.js:33)
at OAuth.js:27
at tryCallTwo (core.js:45)
at doResolve (core.js:200)
at new Promise (core.js:66)
at __awaiter (OAuth.js:23)
at OAuth.handleAuthResponse (OAuth.js:181)
at AuthClass.<anonymous> (Auth.js:1632)
Here is all my relevant Cognito configuration:
OIDC Provider:
- Provider Name: Blizzard
- Client ID:
- Client Secret:
- Attributes request method: POST
- Authorize scope: openid
- Issuer:
https://us.battle.net/oauth
App Client:
- Name:
- App client id:
- App client secret: (no secret key)
App Client Settings:
- Enabled Identity Providers: Blizzard
- Callback URLs: https:///oauth
- Sign out URLs: https:///oauth
- Allowed OAuth Flows:
- Authorization code grant
- Implicit grant
- Allowed OAuth Scopes
- openid
- aws.cognito.signin.user.admin
- profile
- (I’ve tried every variation of these and it doesn’t appear to change the outcome)
Federated Identity:
- Authentication providers
- OpenID
us.battle.net/oauth
- OpenID
IAM Identity Providers:
- Provider Name:
us.battle.net/oauth
- Provider Type: OIDC
- Provider URL:
us.battle.net/oauth
- CA Thumbprint:
- Audience: [my battle net client id]
I have exhausted my own resources and am asking for any guidance with this.
Thanks!