AWS Cognito with OpenID failing with .NET Core gives error of *Error redeeming code: invalid_client*

Question

Environment

• .NET Core apps
• AWS Cognito User Pool
• Custom SSO app with .NET Core
• Open ID Connect

Background

We have multiple windows apps (both WPF and WinForms) running on users machine. Users are managed in custom user pools in AWS Cognito. Federation with other services is there but out of scope for this work. The SSO app presents a login screen where user enters their credentials and get authenticated by Cognito, getting back an auth code. The login mechanism is via OpenID Connect.

Problem Statement

The user gets authenticated successfully via Cognito but the OIDC login call gives an error message as follows:-

Error redeeming code: invalid_client / no description

The response received from Cognito is as follows, result code is success:-

http://localhost/myBusinessApp?code=5a0507ed-5230-408d-&state=KHfMkdZphxxxxxxxxxx

**Code **

Auth App

            var options = new OidcClientOptions()
        {
            Authority = _authenticationConfig.Value.Authority,
            ClientId = _authenticationConfig.Value.ClientId,
            ClientSecret = _authenticationConfig.Value.ClientSecret,  
            Scope = _authenticationConfig.Value.Scope,
            RedirectUri = _authenticationConfig.Value.RedirectUri,
            Browser = new CEFBrowser(),
            Policy = new Policy()
            {
                Discovery = new DiscoveryPolicy()
                {
                    ValidateIssuerName = false ,  /* added for Cognito only */
                    ValidateEndpoints = false /* added for Cognito only */    
                }
            }, 
            Flow = OidcClientOptions.AuthenticationFlow.AuthorizationCode  /* default, but just for clarity */
        };               
        
        _oidcClient = new IdentityModel.OidcClient.OidcClient(options);

        LoginResult result;
        try
        {
            result = await _oidcClient.LoginAsync();
        }
        catch (Exception ex)
        {
            Message.Text = $"Unexpected Error: {ex.Message}";
            return;
        }

        if (result.IsError)
               // Log error (always happen)

Browser call to Cognito

This always redirects successfully to the configured RedirectUrl

       webBrowser.LoadingStateChanged += (s, e) =>
       {
           var url = e.Browser.MainFrame.Url;
           if (url.StartsWith(_options.EndUrl))
           {
               result = new BrowserResult()
               {
                   ResultType = BrowserResultType.Success,
                   Response = url
               };

               signal.Release();

               webBrowser.Dispatcher.Invoke(() => window.Close());
           }
       };

Cognito Configuration

• User pool with sample users
• Authority (https://console.aws.amazon.com/cognito/users/?region=us-east-1#/pool/us-east-1_spXXXX/users?_k=m7yyyy)
• Domain name setup (Custom domain prefix to the Cognito URL). This comes when using authorise and login endpoint when traced in Fiddler
• OAuth Flows: Authorization Code Grant
• Scope: openid profile email

Already explored tutorials

• AWS Cognito User Pools and OpenId
• https://dzone.com/articles/identity-as-a-service-idaas-aws-cognito-and-aspnet
• Can i use AWS cognito to provide a open id connect endpoint?
• https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html (along with Token and Login)
• https://github.com/IdentityModel/IdentityModel.OidcClient/issues/121

Fiddler Response

Answer 1

Finally after adding unit test support, I realized that ClientSecret was not getting passed due to improper data structure. After adding that, the app worked properly.