问题
I'm trying to implement social login using Microsoft account in AWS Cognito User Pools.
I followed documentation and the solution mentioned in this thread:
https://forums.aws.amazon.com/thread.jspa?threadID=287376&tstart=0
My problem is with setting the issuer to allow multiple tenants.
This issuer works only for private accounts:
https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0
This issuer works only for accounts in our directory (tenant): https://login.microsoftonline.com/AZURE_ACTIVE_DIRECTORY/v2.0
This issuer does not work at all. I get bad issuer error or bad request after sign in with Microsoft: https://login.microsoftonline.com/common/v2.0
I need to have one oidc provider that will work for any Microsoft account (all tenants) is that even possible?
If I set issuer tenant to common in the AWS Cognito oidc config, then this starts the correct Microsoft flow, but I assume the check for issuer in Cognito fails because Microsoft always returns the specific tenant id inside the jwt token as part of the issuer.
Additional info from microsoft documentation I have checked:
https://docs.microsoft.com/de-de/azure/active-directory/develop/v2-protocols-oidc
https://docs.microsoft.com/de-de/azure/active-directory/develop/id-tokens
来源:https://stackoverflow.com/questions/64331213/microsoft-oidc-in-aws-cognito-allowing-multiple-tenants