Here’s the email I’ve received recently:
We believe you are using AWS Cognito with your Auth0 tenant. To avoid issues with your Auth0 tenant integration with AWS Cognito, you need to update your integration using one of the methods detailed below before the rescheduled maintenance window on November 17th, 2020 between 13:30 and 18:30 UTC
I am using Cognito. The email continues an makes 3 suggestions for improving:
- Shift to the AWS SAML Connector to integrate with Auth0 instead of OIDC. This is preferred as SAML does not require certificate pinning.
- Shift to a Custom Domain with Self-Managed Certificates if you require certificate pinning. This feature is only available for Enterprise customers.
- (Simplest short-term workaround) Add the following certificate thumbprint as a trusted certificate in your AWS Cognito configuration before the maintenance window mentioned above.
B3DD7606D2B5A8B4A13771DBECC9EE1CECAFA38A
The following AWS Cognito documentation provides information that might be useful for this operation. However, the exact steps might vary based on your setup:Updating OIDC provider thumbprint
Obtaining the Thumbprint for an OpenID Connect Identity Provider
Due to limitations in the AWS OIDC provider, the root certificate thumbprint of our new network edge provider does not work. Because of this, the provided thumbprint is for an intermediate certificate and is expected to expire on December 31st, 2024. This intermediate certificate may be rotated by our network edge provider earlier without warning.
I did #3 a few weeks ago, and then buckled down to make necessary changes to update all of my customers clients. However customers will take time to update their clients. So I’d like to write a node based cron job that determines if AWS Cognito Identity Provider Thumbprint (B3DD7606D2B5A8B4A13771DBECC9EE1CECAFA38A) gets changed and needs updated again.
I’ve followed the instructions recommended with the AWS documentation though, and I don’t ever get a thumbprint of B3DD7606D2B5A8B4A13771DBECC9EE1CECAFA38A.
Long story short, what steps can I take to calculate the thumbprint B3DD7606D2B5A8B4A13771DBECC9EE1CECAFA38A?