Why does AWS Cognito require a client secret when configuring an external IdP (Azure AD)?

Question

I don't understand why AWS Cognito require a client secret when configuring an external IdP (e.g. Azure AD).

AFAIK, AWS Cognito merely forwards federated identities to the external IdP for (OIDC) authorization code grant flows, which in turn results in access- and ID tokens issued to the app after successful authentication:

The client secret is only needed for AWS Cognito authenticating as a service towards e.g. the Azure AD app registration, but why is that needed?

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-oidc-flow.html

Answer 1

I can only speak for Azure AD, but any authentication in Azure AD has to be done in the context of an app registration so that it knows who is asking for the authentication, and most importantly that the user or administrator is consenting for that external service to authenticate against Azure AD and retrieve details about the user.

The authentication request will return information about the user to Cognito, depending on what is asked for this could just be a very simple token, or it could contain lots of information about the user and the organisation, Azure AD requires the user or company to consent to this sharing, and so this consent needs to be recorded against an app registration, and so Cognito needs to be able to authenticate as this app registration.