Calculate new ODIC Thumbprint for Auth0 w/ AWS Cognito

Here’s the email I’ve received recently:

We believe you are using AWS Cognito with your Auth0 tenant. To avoid issues with your Auth0 tenant integration with AWS Cognito, you need to update your integration using one of the methods detailed below before the rescheduled maintenance window on November 17th, 2020 between 13:30 and 18:30 UTC

I am using Cognito. The email continues an makes 3 suggestions for improving:

  1. Shift to the AWS SAML Connector to integrate with Auth0 instead of OIDC. This is preferred as SAML does not require certificate pinning.
  2. Shift to a Custom Domain with Self-Managed Certificates if you require certificate pinning. This feature is only available for Enterprise customers.
  3. (Simplest short-term workaround) Add the following certificate thumbprint as a trusted certificate in your AWS Cognito configuration before the maintenance window mentioned above. B3DD7606D2B5A8B4A13771DBECC9EE1CECAFA38A
    The following AWS Cognito documentation provides information that might be useful for this operation. However, the exact steps might vary based on your setup:

Updating OIDC provider thumbprint
Obtaining the Thumbprint for an OpenID Connect Identity Provider
Due to limitations in the AWS OIDC provider, the root certificate thumbprint of our new network edge provider does not work. Because of this, the provided thumbprint is for an intermediate certificate and is expected to expire on December 31st, 2024. This intermediate certificate may be rotated by our network edge provider earlier without warning.

I did #3 a few weeks ago, and then buckled down to make necessary changes to update all of my customers clients. However customers will take time to update their clients. So I’d like to write a node based cron job that determines if AWS Cognito Identity Provider Thumbprint (B3DD7606D2B5A8B4A13771DBECC9EE1CECAFA38A) gets changed and needs updated again.

I’ve followed the instructions recommended with the AWS documentation though, and I don’t ever get a thumbprint of B3DD7606D2B5A8B4A13771DBECC9EE1CECAFA38A.

Long story short, what steps can I take to calculate the thumbprint B3DD7606D2B5A8B4A13771DBECC9EE1CECAFA38A?


The “B3DD…” fingerprint is used for your * domain–the fingerprint for your custom domain may be different (for now…they may soon be the same).

You’ll want to monitor the certificate chain that is sent for your tenant specifically, so generally the steps would be (this is probably review for you, but others may find it helpful):

  1. Query the domain for your tenant ( domain or your custom domain–whichever you use. Due to our infrastructure they may assert different trust chains.)
  2. Parse out the intermediate certificate
  3. Use openssl to calculate the thumbprint

This Amazon document (presumably the one you’ve seen already) describes the openssl commands you can use to get and process the certificates:

You should get the “B3DD…” thumbprint for your domain. If not, DM me your tenant name and I will take a look.

If you’re using a custom domain with auth0-managed certificates, note that Let’s Encrypt has recently started signing with a new intermediate so pinning may break on the next renewal. I recommend adding the fingerprint of the R3 intermediate to your configuration now:

(Note that intermediate expires September 2021, but by then we should be using the fingerprint we sent in the email)



So I’d like to write a node based cron job that determines if AWS Cognito Identity Provider Thumbprint (B3DD7606D2B5A8B4A13771DBECC9EE1CECAFA38A) gets changed and needs updated again.

You may find a sample project here that implements the idea with javascript.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.