AWS Cognito User Pool OpenID Connect Errors

I’m attempting to add Asana as an Open ID Connect identity provider for my AWS Cognito User Pool. Cognito is successfully discovering the appropriate endpoints when I provide it Asana’s issuer URL: https://app.asana.com/api/1.0/.well-known/openid-configuration

However, I continue to get the following error when I submit the form to create a new provider:

We were unable to create identity provider: oidc_issuer is invalid (Service: AWSCognitoIdentityProviderService; Status Code: 400; Error Code: InvalidParameterException; Request ID: e3783f23-63cb-11e9-acf8-2b50d219a65d)

Here are is the form as I have it filled out:

53%20PM2224×1480 217 KB

I’ve also tried filling out the fields token/userinfo/etc. endpoints manually to no avail.

Has anyone successfully added Asana as a OIDC provider on AWS Cognito?

Hi @Scott_Benson, while I don’t have much familiarity with AWS Cognito, I do have a suggestion for trying to solve the issue. https://app.asana.com/api/1.0/.well-known/openid-configuration is the “discovery URL” for our OpenID Connect configuration, but our “issuer” (which the screenshot is asking for) is just https://app.asana.com/api/1.0. The OpenID Connect discovery spec states that the discovery information must be hosted at issuer + /.well-known/openid-configuration so you should not need to add this path to the end of the issuer.

Thanks, @Joe_Trollo! That worked perfectly.