When setting up Google OAuth as a login provider for an aws_cognito_identity_pool, the client_id obtained from Google Cloud Console (for example, 123456789012.apps.googleusercontent.com) causes the following error:
"client_id must contain only alphanumeric characters and underscores"
However, this is the official OAuth Client ID format from Google, and Cognito expects this value when integrating Google OAuth. This issue arises due to the restriction that aws_cognito_identity_pool imposes on the client_id, where only alphanumeric characters and underscores are allowed. This limitation conflicts with the structure of Google’s OAuth Client IDs, which include periods and hyphens.
Error Output:
Error: "cognito_identity_providers.1.client_id" must contain only alphanumeric characters and underscores
with aws_cognito_identity_pool.main,
on main.tf line 88, in resource "aws_cognito_identity_pool" "main":
88: resource "aws_cognito_identity_pool" "this" {
Expected Behavior
The aws_cognito_identity_pool should accept Google’s OAuth Client ID format without throwing an error, allowing integration of Google OAuth for user login.
In AWS Console and CDK is supported.
Actual Behavior
The Identity Pool rejects the Google client_id due to non-alphanumeric characters such as periods (.) and hyphens (-), even though this is the official format used by Google for OAuth Client IDs.
OAuth Client ID Format: Google uses xxx.apps.googleusercontent.com, which is not compliant with the restrictions currently imposed by AWS Cognito Identity Pool.
Relevant Error/Panic Output Snippet
Terraform planned the following actions, but then encountered a problem:
# module.wp_butler_cognito.aws_cognito_identity_provider.these["google"] must be replaced
-/+ resource "aws_cognito_identity_provider" "these" {
~ attribute_mapping = {
- "username" = "sub"
} -> (known after apply)
~ id = "us-east-2_LXXRRTT:Google" -> (known after apply)
- idp_identifiers = [] -> null
~ provider_details = {
- "attributes_url" = "https://people.googleapis.com/v1/people/me?personFields=" -> null
- "attributes_url_add_attributes" = "true" -> null
- "authorize_url" = "https://accounts.google.com/o/oauth2/v2/auth" -> null
- "oidc_issuer" = "https://accounts.google.com" -> null
- "token_request_method" = "POST" -> null
- "token_url" = "https://www.googleapis.com/oauth2/v4/token" -> null
# (3 unchanged elements hidden)
}
~ provider_name = "Google" -> "accounts.google.com" # forces replacement
# (2 unchanged attributes hidden)
}
Plan: 1 to add, 0 to change, 1 to destroy.
╷
│ Error: "cognito_identity_providers.1.client_id" must contain only alphanumeric characters and underscores
│
│ with module.wp_butler_cognito.aws_cognito_identity_pool.this,
│ on .terraform/modules/wp_butler_cognito/main.tf line 88, in resource "aws_cognito_identity_pool" "this":
│ 88: resource "aws_cognito_identity_pool" "this" {
│
╵
::error::Terraform exited with code 1.
Error: Process completed with exit code 1.
1. Register an application in Google Cloud Console and obtain an OAuth Client ID.
• Format of the OAuth Client ID: 123456789012.apps.googleusercontent.com.
2. Set up an `aws_cognito_identity_pool` and configure Google OAuth as a Login Provider using the OAuth Client ID obtained from Google Cloud.
3. Run the Terraform configuration
4. Observe the error due to the restriction on the format of client_id.
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
Volunteering to Work on This Issue
If you are interested in working on this issue, please leave a comment.
If this would be your first contribution, please review the contribution guide.
Terraform Core Version
1.5.5
AWS Provider Version
5.69.0
Affected Resource(s)
There is an error when trying to integrate Google OAuth with
aws_cognito_identity_pool
using the client_id from Google’s OAuth credentials.Problem Overview:
When setting up Google OAuth as a login provider for an
aws_cognito_identity_pool
, the client_id obtained from Google Cloud Console (for example, 123456789012.apps.googleusercontent.com) causes the following error:"client_id must contain only alphanumeric characters and underscores"
However, this is the official OAuth Client ID format from Google, and Cognito expects this value when integrating Google OAuth. This issue arises due to the restriction that
aws_cognito_identity_pool
imposes on the client_id, where only alphanumeric characters and underscores are allowed. This limitation conflicts with the structure of Google’s OAuth Client IDs, which include periods and hyphens.Error Output:
Expected Behavior
The
aws_cognito_identity_pool
should accept Google’s OAuth Client ID format without throwing an error, allowing integration of Google OAuth for user login.In AWS Console and CDK is supported.
Actual Behavior
The Identity Pool rejects the Google client_id due to non-alphanumeric characters such as periods (.) and hyphens (-), even though this is the official format used by Google for OAuth Client IDs.
OAuth Client ID Format: Google uses xxx.apps.googleusercontent.com, which is not compliant with the restrictions currently imposed by AWS Cognito Identity Pool.
Relevant Error/Panic Output Snippet
Terraform Configuration Files
Steps to Reproduce
Debug Output
No response
Panic Output
No response
Important Factoids
No response
References
No response
Would you like to implement a fix?
No