Overview
The following error is observed in the tenant logs when a user tries to log in using Cognito as IdP.
"description": "nonce mismatch, expected undefined, got: XXX"mYDXYLkqj2NUi7KZqM5IPSVtfWKTPLdyJsvk4C37XDFN1H_CZ3cqlPrmEv5hIe3zIBAvRWBaBuNBVLg4DyudNV2RSTA3wo3FA4tzQbuphKNcoVljQcMuvOpH792vqbLuH4XEnNz1qEcK5SIg1Z1XeSS-CxnHiqMeJeVPKwKd-xQ",
"details": {
"body": {},
"connection": "xxx-xxxxxx",
"error": {
"message": "nonce mismatch, expected undefined, got: mYDXYLkqj2NUi7KZqM5IPSVtfWKTPLdyJsvk4C37XDFN1H_CZ3cqlPrmEv5hIe3zIBAvRWBaBuNBVLg4DyudNV2RSTA3wo3FA4tzQbuphKNcoVljQcMuvOpH792vqbLuH4XEnNz1qEcK5SIg1Z1XeSS-CxnHiqMeJeVPKwKd-xQ",
"oauthError": "access_denied",
"type": "oauth-authorization"
},
This error is not seen in any other type of connection, such as SAML, ADFS, db connections, etc.
Applies To
- Cognito
- Identity Providers
- Login Error
Cause
When Auth0 is communicating with Cognito, Auth0 is not sending a nonce parameter in the call to the /authorize request. However, Cognito is sending a ‘nonce’ parameter as a response. When comparing both ‘nonce’ parameters, as Auth0 is not sending anything but getting a ‘nonce’, the result is that the nonce in response does not match the ‘inexistent nonce’ from Auth0.
As a result, the error nonce mismatch, expected undefined, got: , which makes sense because Auth0 was not expecting any nonce in return, so the ‘expected undefined’
Solution
As a workaround, a nonce parameter could be sent to IdP in the form of an upstream parameter, as explained in the following links to Auth0 documentation:
The workaround would consist of:
- Update the connection to accept a nonce parameter. This can be done by looking at the documentation.
- The connection can be updated using Auth0 Management API to accept dynamic parameters using the alias property. Since there are only a set of variable to use as alias, a solution can be to re-purpose any of them, for example, using login_hint and use it to send the nonce value.
- Once the connection has been updated to accept a dynamic parameter in the alias field as login_hint, this parameter needs to be included when making the call to the /authorize endpoint with the corresponding SDK. A nonce must be generated and included in the login_hint parameter
- For example, in case of using the React SDK, the parameter could be sent including login_hint as part of the 'auhorizationParams' object in the Auth0 Provider as per the links to the React SDK documentation below.