Skip to content

Asgardo React SDK cannot call Cognito JWKS endpoint when authorize endpoint and JWKS endpoints have different hostnames #300

New issue
New issue
Open
Open
Asgardo React SDK cannot call Cognito JWKS endpoint when authorize endpoint and JWKS endpoints have different hostnames#300
Labels
bugSomething isn't working
@wx-yz

Description

@wx-yz
wx-yz
opened on Sep 12, 2025

Describe the issue:
I've deployed Sample React SPA on Choreo https://is.docs.wso2.com/en/latest/get-started/try-samples/qsg-spa-react/

In Choreo, I've configured AWS Cognito as the external IdP. In the SPA configuration I'm using the well known URL. Here's contents of config.json

{
    "clientID": "5l254i...",
    "signInRedirectURL": "https://7b1d064f-....e1-us-east-azure.choreoapps.dev",
    "signOutRedirectURL": "https://7b1d064f-....e1-us-east-azure.choreoapps.dev",
    "scope": ["profile", "openid"],
    "wellKnownEndpoint": "https://cognito....amazonaws.com/us-east-1_nsXNZHRv9/.well-known/openid-configuration"
}

During the auth code flow, the app fails to login because during the JWKS call it fails with CORS No Allow Credentials error.

Image

The token call is successful. Here's I'm getting the access token successfully.

Image

I'm assuming the problem here is that, in Cognito JWKS endpoint is different from the token endpoint. Here's the content of /.well-known/openid-configuration endpoint in Cognito

{
  "authorization_endpoint": "https://us-east-1nsxnzhrv9.auth.us-east-1.amazoncognito.com/oauth2/authorize",
  "end_session_endpoint": "https://us-east-1nsxnzhrv9.auth.us-east-1.amazoncognito.com/logout",
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "issuer": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_nsXNZHRv9",
  "jwks_uri": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_nsXNZHRv9/.well-known/jwks.json",
  "response_types_supported": [
    "code",
    "token"
  ],
  "revocation_endpoint": "https://us-east-1nsxnzhrv9.auth.us-east-1.amazoncognito.com/oauth2/revoke",
  "scopes_supported": [
    "openid",
    "email",
    "phone",
    "profile"
  ],
  "subject_types_supported": [
    "public"
  ],
  "token_endpoint": "https://us-east-1nsxnzhrv9.auth.us-east-1.amazoncognito.com/oauth2/token",
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post"
  ],
  "userinfo_endpoint": "https://us-east-1nsxnzhrv9.auth.us-east-1.amazoncognito.com/oauth2/userInfo"
}

Again, note that the hostname of the authorize endpoint is different from the JWKS hostname.

According to https://github.com/JakeChampion/fetch?tab=readme-ov-file#sending-cookies, we need to set,

fetch('https://example.com:1234/users', {
  credentials: 'include'
})

when sending credentials to other domains. It defaults to 'same-origin'. From the SDK point of view, if these are different domains, can we include above credentials: 'include' option when calling the JWKS endpoint? Thanks.

How to reproduce:

Expected behavior:

Environment information (Please complete the following information; remove any unnecessary fields) :

  • Product Version: [e.g., IS 5.10.0, IS 5.9.0]
  • OS: [e.g., Windows, Linux, Mac]
  • Database: [e.g., MySQL, H2]
  • Userstore: [e.g., LDAP, JDBC]

Optional Fields

Related issues:

Suggested labels:

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions