Figuring out how to use an OIDC client is tricky. It's useful to have a manual process to sanity-check that your configuration is working before (or while) coding an application to integrate with Cognito.

1. Use the OIDC Debugger app that our friends at MoE generously support.
2. In "Configuration Parameters", for "Authorization Grant" select "OAuth2 Authorization Code Grant".
3. In "Configuration Parameters", for "Authorization Endpoint" select "https://fam-user-pool-mature-mole-domain.auth.ca-central-1.amazoncognito.com/authorize" (replace "fam-user-pool-mature-mole-domain" with the Cognito Domain of your user pool, if necessary).
4. In "Configuration Parameters", for "Token Endpoint" use the same URL as the "Authorization Endpoint" but switch "/authorize" to "/token" (example: https://fam-user-pool-mature-mole-domain.auth.ca-central-1.amazoncognito.com/token).
5. In "Request Authorization Code", for "Client ID" enter the client ID of your OIDC client in Cognito.
6. In "Request Authorization Code", for "Redirect URL" enter the OIDC debugger URL ("https://oidcdebuggersecure-3d5c3f-dev.apps.silver.devops.gov.bc.ca/"). It should be there by default.
7. In "Request Authorization Code", for "Scope" you can put "openid email profile".
8. Click "Authorize". This will initiate a login flow and eventually redirect you back to the OIDC debugger.
9. In the URL (found in the location bar of your browser), there will be a query parameter called "code". Copy the value of that query parameter. (Example: in the URL "https://oidcdebuggersecure-3d5c3f-dev.apps.silver.devops.gov.bc.ca/?code=5f3f2b98-f856-4e54-a5f7-9322dbf367f9&state=7f49b3eb-1d68-4f41-8828-ed38b8dc95ff" the value for "code" is "5f3f2b98-f856-4e54-a5f7-9322dbf367f9&state=7f49b3eb-1d68-4f41-8828-ed38b8dc95ff").

1. In "Exchange Authorization Code for Access Token", paste the value for the code into the field "Authorization Code"Authorization Code for Access Token".
2. In "Exchange Authorization Code for Access Token", for "Client ID" enter the client ID of your OIDC client in Cognito (same as step 5 above).
3. In "Exchange Authorization Code for Access Token", leave "Client Secret" blank. (This assumes you have a public client. For a confidential client, you would have this value and be able to use it.)
4. In "Exchange Authorization Code for Access Token", for "Redirect URL" enter the OIDC debugger URL ("https://oidcdebuggersecure-3d5c3f-dev.apps.silver.devops.gov.bc.ca/"). It should be there by default.
5. In "Exchange Authorization Code for Access Token", for "Scope" you can put "openid email profile".
6. Open your browser's developer tools so you can inspect network traffic. (If you want to get the value of the ID token later).
7. Click "Get Token". The browser will redirect and populate the "access_token" and "refresh_token" fields under "Token Endpoint Results".

1. To inspect the access token, copy the text in the "access_token" window over to the auth0 JWT debugger tool.
2. Don't inspect the refresh token. It's not meant to be human readable.
3. To inspect the ID token, you have to get it from the developer tools in your browser. In Chrome, under "Network" the last request will be "token" and the response will be JSON that includes the encoded ID token. You can copy that text and put it into the auth0 JWT debugger tool.

• Your OIDC client is configured in Cognito. In order to use OIDC Debugger the URL of the debugger must be configured as a valid redirect for your OIDC client. That's OK in a DEV environment, but don't leave your client in that configuration in production.
• If you are redirecting back to an API or another public URL (i.e. something other than OIDC Debugger), that URL must be configured in Cognito as one of your valid redirect URLs.