Request for assistance - Blizzard OIDC with Cognito

I’ve spent the last couple days trying to set up Cognito to use Battle net OIDC. I believe I am most of the way there. I can see using the cognito hosted UI that it authenticates correctly but then fails, presumably trying to retrieve the token.

The first request to cognito hosted UI: https://<removed>.auth.us-west-2.amazoncognito.com/oauth2/authorize?identity_provider=Blizzard&redirect_uri=https://<my-site-oauth-handler-removed>/oauth&response_type=CODE&client_id=<removed>&scope=openid

Then the next request is to Battle net OIDC as expected: https://us.battle.net/oauth/authorize?client_id=<removed>&redirect_uri=https%3A%2F%2F<removed>.auth.us-west-2.amazoncognito.com%2Foauth2%2Fidpresponse&scope=openid&response_type=code&state=<removed>

Then the code is passed onto the cognito idpresponse: https://<removed>.auth.us-west-2.amazoncognito.com/oauth2/idpresponse?code=<removed>&state=<removed>

At this point, if my understanding is correct cognito should try to hit the battle net /oath/token endpoint and then return the id_token and access_token to my redirect_url. It is at the point cognito instead returns an error to my url: https://<my-site-oauth-handler-removed>/oauth?error_description=Bad+id_token+issuer+oauth.battle.net&error=invalid_request

I may be one of a handful trying to use the battle net OIDC with Cognito.

My best guess right now is that I haven’t configured Cognito correctly to make the token POST request. It needs to use Basic Authentication with the clientid:password but I can’t verify if it’s doing that correctly or not since its abstracted away.

Anyway, when I make the request through my app (using amplify to open the hosted UI) it does return but with the following:

[ERROR] 51:05.25 OAuth - Error handling auth response. Error: Bad+id_token+issuer+oauth.battle.net
    at OAuth.<anonymous> (OAuth.js:202)
    at step (OAuth.js:52)
    at Object.next (OAuth.js:33)
    at OAuth.js:27
    at tryCallTwo (core.js:45)
    at doResolve (core.js:200)
    at new Promise (core.js:66)
    at __awaiter (OAuth.js:23)
    at OAuth.handleAuthResponse (OAuth.js:181)
    at AuthClass.<anonymous> (Auth.js:1632)

Here is all my relevant Cognito configuration:

OIDC Provider:

  • Provider Name: Blizzard
  • Client ID:
  • Client Secret:
  • Attributes request method: POST
  • Authorize scope: openid
  • Issuer: https://us.battle.net/oauth

App Client:

  • Name:
  • App client id:
  • App client secret: (no secret key)

App Client Settings:

  • Enabled Identity Providers: Blizzard
  • Callback URLs: https:///oauth
  • Sign out URLs: https:///oauth
  • Allowed OAuth Flows:
    • Authorization code grant
    • Implicit grant
  • Allowed OAuth Scopes
    • email
    • openid
    • aws.cognito.signin.user.admin
    • profile
  • (I’ve tried every variation of these and it doesn’t appear to change the outcome)

Federated Identity:

  • Authentication providers
    • OpenID
      • us.battle.net/oauth

IAM Identity Providers:

  • Provider Name: us.battle.net/oauth
  • Provider Type: OIDC
  • Provider URL: us.battle.net/oauth
  • CA Thumbprint:
  • Audience: [my battle net client id]

I have exhausted my own resources and am asking for any guidance with this.

Thanks!

Follow-up thread: Battle net oauth id_tokens are signed with incorrect iss