Developer Questions

Ask a Question
Back to All

Connecting XUMM as an OpenID Connect provider on AWS Cognito

I'm trying to use xumm as an OpenID connect provider using AWS cognito. I’m hoping someone can provide some guidance on my integration

I think my integration is 90% of the way there but am getting this error when attempting to grant the authorizationCode: invalid_token_signature: Could not match the desired key identifier within the list of keys at OAuth.

The flow to get there:
User clicks Sign in →
this triggers Auth.federatedSignIn({customProvider:’xumm’”) →
the page gets redirected to xumm.app/sign/abc1234 →
Signs the transaction using Xumm →
redirects back domain.region.amazoncognito.com/oauth2/idpresonse?authorization_code=anAuthorizationCode…. Etc →
Amazon cognito then tries to grant a token with the authorization code and fails to do so with the above error.

Using Cognito, I set up a userpool, created a identity provider using OpenID Connect.
In the Identity provider config, I provided the ClientID and Secret, Attributes request method set to GET, openid as the authorize scope and provided https://oauth2.xumm.app as the issuer.

After I set up the identity provider, I configured an appClient with the identity provider in the previous step with the call back URL set to http://localhost:3000. I also enabled Authorization code grant and implicit grant as the allowed ‘Oauth Flows’ and set openid as the “Allowed OAuth Scopes”

In the federated identities dashboard, I have configured an identity pool. Under the OpenId section I have enabled an authentication provider with oauth2.xumm.app as the domain and the Arn pointing to an IAM which is connected to an audience set as my XUMM api key with a valid thumbprint.

In the application (react app), I configure aws-amplify with the following information:
{
"aws_project_region": "my-aws-region",
"aws_cognito_identity_pool_id": "my-aws-region:identity-pool-id-from-federatedIdentities",
“Aws_cognito_region”:”my-aws-region”,
"aws_user_pools_id": "my-aws-region_USERPOOLID",
"aws_user_pools_web_client_id": "AppClientIdConnectedWithIdentityProvider",
“oauth”:{
“domain”: "subDomain.my_region.amazoncognito.com",
“scope”:[“openid”],
“redirectSignIn”:”http://localhost:3000”,
“redirectSignOut”:”http://localhost:3000”
“responseType”:”code”
}
}

Any guidance would be greatly appreciated!