Concepts & SDK DocsXumm Developer Console

Developer Questions

Ask a Question
Back to All

Connecting XUMM as an OpenID Connect provider on AWS Cognito

over 1 year ago by xFoxClub

I'm trying to use xumm as an OpenID connect provider using AWS cognito. I’m hoping someone can provide some guidance on my integration

I think my integration is 90% of the way there but am getting this error when attempting to grant the authorizationCode: invalid_token_signature: Could not match the desired key identifier within the list of keys at OAuth.

The flow to get there:
User clicks Sign in →
this triggers Auth.federatedSignIn({customProvider:’xumm’”) →
the page gets redirected to xumm.app/sign/abc1234 →
Signs the transaction using Xumm →
redirects back domain.region.amazoncognito.com/oauth2/idpresonse?authorization_code=anAuthorizationCode…. Etc →
Amazon cognito then tries to grant a token with the authorization code and fails to do so with the above error.

Using Cognito, I set up a userpool, created a identity provider using OpenID Connect.
In the Identity provider config, I provided the ClientID and Secret, Attributes request method set to GET, openid as the authorize scope and provided https://oauth2.xumm.app as the issuer.

After I set up the identity provider, I configured an appClient with the identity provider in the previous step with the call back URL set to http://localhost:3000. I also enabled Authorization code grant and implicit grant as the allowed ‘Oauth Flows’ and set openid as the “Allowed OAuth Scopes”

In the federated identities dashboard, I have configured an identity pool. Under the OpenId section I have enabled an authentication provider with oauth2.xumm.app as the domain and the Arn pointing to an IAM which is connected to an audience set as my XUMM api key with a valid thumbprint.

In the application (react app), I configure aws-amplify with the following information:
{
"aws_project_region": "my-aws-region",
"aws_cognito_identity_pool_id": "my-aws-region:identity-pool-id-from-federatedIdentities",
“Aws_cognito_region”:”my-aws-region”,
"aws_user_pools_id": "my-aws-region_USERPOOLID",
"aws_user_pools_web_client_id": "AppClientIdConnectedWithIdentityProvider",
“oauth”:{
“domain”: "subDomain.my_region.amazoncognito.com",
“scope”:[“openid”],
“redirectSignIn”:”http://localhost:3000”,
“redirectSignOut”:”http://localhost:3000”
“responseType”:”code”
}
}

Any guidance would be greatly appreciated!