Receive Error "nonce mismatch, expected undefined, got: <value>" when Setting Up an Enterprise OIDC Connection Using Cognito

Overview

The following error is observed in the tenant logs when a user tries to log in using Cognito as IdP.

  "description": "nonce mismatch, expected undefined, got: XXX"mYDXYLkqj2NUi7KZqM5IPSVtfWKTPLdyJsvk4C37XDFN1H_CZ3cqlPrmEv5hIe3zIBAvRWBaBuNBVLg4DyudNV2RSTA3wo3FA4tzQbuphKNcoVljQcMuvOpH792vqbLuH4XEnNz1qEcK5SIg1Z1XeSS-CxnHiqMeJeVPKwKd-xQ",
  "details": {
    "body": {},
    "connection": "xxx-xxxxxx",
    "error": {
      "message": "nonce mismatch, expected undefined, got: mYDXYLkqj2NUi7KZqM5IPSVtfWKTPLdyJsvk4C37XDFN1H_CZ3cqlPrmEv5hIe3zIBAvRWBaBuNBVLg4DyudNV2RSTA3wo3FA4tzQbuphKNcoVljQcMuvOpH792vqbLuH4XEnNz1qEcK5SIg1Z1XeSS-CxnHiqMeJeVPKwKd-xQ",
      "oauthError": "access_denied",
      "type": "oauth-authorization"
    },

This error is not seen in any other type of connection, such as SAML, ADFS, db connections, etc.

Applies To

  • Cognito
  • Identity Providers
  • Login Error

Cause

When Auth0 is communicating with Cognito, Auth0 is not sending a nonce parameter in the call to the /authorize request. However, Cognito is sending a ‘nonce’ parameter as a response. When comparing both ‘nonce’ parameters, as Auth0 is not sending anything but getting a ‘nonce’, the result is that the nonce in response does not match the ‘inexistent nonce’ from Auth0.

As a result, the error nonce mismatch, expected undefined, got: , which makes sense because Auth0 was not expecting any nonce in return, so the ‘expected undefined’

Solution

As a workaround, a nonce parameter could be sent to IdP in the form of an upstream parameter, as explained in the following links to Auth0 documentation:

The workaround would consist of:

  1. Update the connection to accept a nonce parameter. This can be done by looking at the documentation.
    The connection can be updated using Auth0 Management API to accept dynamic parameters using the alias property. Since there are only a set of variable to use as alias, a solution can be to re-purpose any of them, for example, using login_hint and use it to send the nonce value.
  1. Once the connection has been updated to accept a dynamic parameter in the alias field as login_hint, this parameter needs to be included when making the call to the /authorize endpoint with the corresponding SDK. A nonce must be generated and included in the login_hint parameter
    For example, in case of using the React SDK, the parameter could be sent including login_hint as part of the 'auhorizationParams' object in the Auth0 Provider as per the links to the React SDK documentation below.