BCSC Encryption
The BCSC OIDC service does two things that the Cognito service cannot handle:
- The ID token returned from the token endpoint is a JWE instead of a JWT. Cognito errors out on this format.
- The encryption process for the JWE ID token requires the public side of an asymmetric key. Cognito does not expose this key.
- The userinfo endpoint returns the JWE ID token. Cognito expects a JSON response from the userinfo endpoint.
In order to be able to use BCSC as an OIDC identity provider in Cognito, we had to fix all of these problems.
- The FAM API exposes a proxy service for the BCSC token endpoint. Cognito talks to the proxy. All the proxy service does is remove the ID token from the BCSC response. Cognito makes no use of this token anyway, so this solves the problem.
- The FAM API exposes a JWKS as an API endpoint. The JWKS is created from the public side of an asymmetric key managed by KMS specifically for FOM.
- The FAM API exposes a proxy service for the BCSC token endpoint. Cognito talks to the proxy. The proxy service calls the BCSC userinfo endpoint and decrypts the returned JWE to get the userinfo JSON object and pass it back to Cognito.
With these services in place, the BCSC IDP in Cognito can be configured to talk to the proxy services instead of talking to BCSC directly for these interactions. See the diagram below for details.
