Using the Cognito provider with a client that doesn't have a client secret

[enesse]

Is there a way to use the Next Auth Cognito provider for a Cognito app client that doesn't have a client secret set? According to the Cognito documentation "If the client was issued a secret, the client must pass its client_id and client_secret in the authorization header through Basic HTTP authorization" , https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html

We're attempting to migrate a set of websites that has to use a set existing Cognito app clients that were created without a client secret..

[tiyberius]

I'm trying to do this too! Have you made any progress @enesse? Sorry this isn't an "answer" per se, but I didn't see any other options.

I've got a Cognito App and I've configured a web client, so I belive a client secret is not needed. I can authenticate when I pass this as the config in [...nextAuth.js]

export default NextAuth({
  // https://next-auth.js.org/configuration/providers/oauth
  providers: [
    CognitoProvider({
      clientId: process.env.NEXT_PUBLIC_COGNITO_CLIENT_ID,
      clientSecret: process.env.COGNITO_CLIENT_SECRET,
      issuer: process.env.COGNITO_ISSUER,
      checks: 'nonce',
    })
  ],...

but if I remove the clientSecret, I get an error

https://next-auth.js.org/errors#oauth_callback_error client_secret_basic client authentication method requires a client_secret {
  error: {
    message: 'client_secret_basic client authentication method requires a client_secret',
    stack: 'TypeError: client_secret_basic client authentication method requires a client_secret\n' +
      '    at Client.authFor (/Users/tobias/Projects/Swellsensor/swellsensor/frontend/node_modules/openid-client/lib/helpers/client.js:124:15)\n' +
      '    at Client.authenticatedPost (/Users/tobias/Projects/Swellsensor/swellsensor/frontend/node_modules/openid-client/lib/helpers/client.js:163:30)\n' +
      '    at Client.grant (/Users/tobias/Projects/Swellsensor/swellsensor/frontend/node_modules/openid-client/lib/client.js:1312:46)\n' +
      '    at Client.callback (/Users/tobias/Projects/Swellsensor/swellsensor/frontend/node_modules/openid-client/lib/client.js:474:35)\n' +
      '    at oAuthCallback (/Users/tobias/Projects/Swellsensor/swellsensor/frontend/node_modules/next-auth-patch-feature-nonce-check/core/lib/oauth/callback.js:123:29)\n' +
      '    at async Object.callback (/Users/tobias/Projects/Swellsensor/swellsensor/frontend/node_modules/next-auth-patch-feature-nonce-check/core/routes/callback.js:50:11)\n' +
      '    at async NextAuthHandler (/Users/tobias/Projects/Swellsensor/swellsensor/frontend/node_modules/next-auth-patch-feature-nonce-check/core/index.js:139:28)\n' +
      '    at async NextAuthNextHandler (/Users/tobias/Projects/Swellsensor/swellsensor/frontend/node_modules/next-auth-patch-feature-nonce-check/next/index.js:21:19)\n' +
      '    at async /Users/tobias/Projects/Swellsensor/swellsensor/frontend/node_modules/next-auth-patch-feature-nonce-check/next/index.js:57:32\n' +
      '    at async Object.apiResolver (/Users/tobias/Projects/Swellsensor/swellsensor/frontend/node_modules/next/dist/server/api-utils.js:101:9)',
    name: 'TypeError'
  },
  providerId: 'cognito',
  message: 'client_secret_basic client authentication method requires a client_secret'
}
[next-auth][error][CALLBACK_OAUTH_ERROR]
https://next-auth.js.org/errors#callback_oauth_error client_secret_basic client authentication method requires a client_secret TypeError: client_secret_basic client authentication method requires a client_secret
    at Client.authFor (/Users/tobias/Projects/Swellsensor/swellsensor/frontend/node_modules/openid-client/lib/helpers/client.js:124:15)
    at Client.authenticatedPost (/Users/tobias/Projects/Swellsensor/swellsensor/frontend/node_modules/openid-client/lib/helpers/client.js:163:30)
    at Client.grant (/Users/tobias/Projects/Swellsensor/swellsensor/frontend/node_modules/openid-client/lib/client.js:1312:46)
    at Client.callback (/Users/tobias/Projects/Swellsensor/swellsensor/frontend/node_modules/openid-client/lib/client.js:474:35)
    at oAuthCallback (/Users/tobias/Projects/Swellsensor/swellsensor/frontend/node_modules/next-auth-patch-feature-nonce-check/core/lib/oauth/callback.js:123:29)
    at async Object.callback (/Users/tobias/Projects/Swellsensor/swellsensor/frontend/node_modules/next-auth-patch-feature-nonce-check/core/routes/callback.js:50:11)
    at async NextAuthHandler (/Users/tobias/Projects/Swellsensor/swellsensor/frontend/node_modules/next-auth-patch-feature-nonce-check/core/index.js:139:28)
    at async NextAuthNextHandler (/Users/tobias/Projects/Swellsensor/swellsensor/frontend/node_modules/next-auth-patch-feature-nonce-check/next/index.js:21:19)
    at async /Users/tobias/Projects/Swellsensor/swellsensor/frontend/node_modules/next-auth-patch-feature-nonce-check/next/index.js:57:32
    at async Object.apiResolver (/Users/tobias/Projects/Swellsensor/swellsensor/frontend/node_modules/next/dist/server/api-utils.js:101:9) {
  name: 'OAuthCallbackError',
  code: undefined
}

Very frustrating

[enesse]

Hi @tiyberius , yes I got it working tweeking the settings å bit. Take a look: #4707

Hope this works for you as well!

[tiyberius]

You're a legend!!! It works! 🥳 Thanks heaps 🙌🏻🙌🏻🙌🏻