[Bug]: Issue creating a LinkedIn OIDC provider using aws_cognito_identity_provider

[anthonyhumphreys]

Terraform Core Version

1.6.3

AWS Provider Version

5.24.0

Affected Resource(s)

aws_cognito_identity_provider

resource "aws_cognito_identity_provider" "linkedin" {
  user_pool_id  = aws_cognito_user_pool.user_pool.id
  provider_name = "LinkedIn"
  provider_type = "OIDC"
  provider_details = {
    client_id                 = jsondecode(data.aws_secretsmanager_secret_version.linkedin_secret_version.secret_string)["client_id"]
    client_secret             = jsondecode(data.aws_secretsmanager_secret_version.linkedin_secret_version.secret_string)["client_secret"]
    attributes_request_method = "GET"
    oidc_issuer               = "https://www.linkedin.com"
    authorize_scopes          = "openid profile email"
    authorization_endpoint    = "https://www.linkedin.com/oauth/v2/authorization"
    token_endpoint            = "https://www.linkedin.com/oauth/v2/accessToken"
    userinfo_endpoint         = "https://api.linkedin.com/v2/userinfo"
    jwks_uri                  = "https://www.linkedin.com/oauth/v2/jwks"
  }
  attribute_mapping = {
    email              = "email"
    family_name        = "family_name"
    given_name         = "given_name"
    preferred_username = "email"
    username           = "sub"
  }
}

I'm trying to create an OIDC provider so users can login with LinkedIn. This works in the console UI when using manual setup but the equivalent tf doesn't seem to work.

│ Error: creating Cognito Identity Provider: InvalidParameterException: Unable to contact well-known endpoint │ │ with module.Cognito.aws_cognito_identity_provider.linkedin, │ on modules/Cognito/main.tf line 253, in resource "aws_cognito_identity_provider" "linkedin": │ 253: resource "aws_cognito_identity_provider" "linkedin" {

Any advice please?

Thank you.

Expected Behavior

OIDC provider should be created

Actual Behavior

OIDC provider not created, error given

Relevant Error/Panic Output Snippet

╷
│ Error: creating Cognito Identity Provider: InvalidParameterException: Unable to contact well-known endpoint
│ 
│   with module.Cognito.aws_cognito_identity_provider.linkedin,
│   on modules/Cognito/main.tf line 253, in resource "aws_cognito_identity_provider" "linkedin":
│  253: resource "aws_cognito_identity_provider" "linkedin" {

Terraform Configuration Files

relevant tf block above

Steps to Reproduce

attempt to add LinkedIn as an OIDC provider

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[anthonyhumphreys]

Happy to work on this issue if someone could point me in the right direction!

[DrFaust92]

anthonyhumphreys I can suggest to try and catch the HTTP request via browser with devtools (F12) and see the body of the request and look at whats different from the params being sent from the provider.

[wyou130]

@anthonyhumphreys I'm creating this same resource through terragrunt and ran into the same error. I came across this AWS post which had this link: https://www.linkedin.com/oauth/.well-known/openid-configuration in which the issuer is actually "https://www.linkedin.com/oauth". I updated my oidc_issuer to this in my configuration and was able to successfully create the identity provider. Hope that is helpful for your project.