Overview
Currently using AWS Cognito User Pools as Identity Provider using OpenID Connect for logging in a Salesforce Community.
I'm currently getting a similar issue with this post OpenID Connect – Bad Response, getting a bad response error
- ErrorCode=No_Openid_Response
- ErrorDescription=Bad+response
His solution was to remove an identifier from the user attribute mapping to get it working, I did try playing around with the user attribute mapping from Cognito and I am getting the same result.
What did work though is if I've set the AWS Cognito User pool to use email instead of username for the user login. It seems like Salesforce isn't accepting the whatever AWS Cognito is returning back on the OpenID response when username is used for authentication. Also, email is not an option for us given that the users are already using usernames to login to other platforms and applications.
Has anyone setup before an Identity Provider using OIDC with Salesforce that uses AWS Cognito for authentication?
Investigation
Adding the OpenID Connect Flow here for reference on my post. Client in this context is Salesforce and Server would be AWS Cognito
src: OpenID Diagram
I'm currently getting the error below after authenticating through AWS Cognito login pag and then redirecting back to Salesforce which is Step 3 from the flow above.
- ErrorCode=No_Openid_Response
- ErrorDescription=Bad+response
So from what I can tell, based on my browser network console, I'm able to get the Authorization Code which is required for the token request and then when I get redirected back to Salesforce, I encounter that error.
Setup
Auth. Provider.
AWS Cognito App Client Settings
Best Answer
Found the issue.... it was the UserInfo url. instead of
userinfoit should beuserInfo, uppercased "I".