Failed to authenticate user with OpenID Connect

Continuing the discussion from OpenID error after authenticating against AWS Cognito:

I am trying to authenticate kibana users using OIDC. When the user is redirected to kibana after logging in, following error occurs.

[2019-12-20T11:36:57,355][WARN ][o.e.x.s.a.AuthenticationService] [X556UQK] Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect (Caused by ElasticsearchSecurityException[Failed to get user information from the UserInfo endpoint.]; nested: IllegalStateException[Error merging ID token and userinfo claim value for claim [email_verified]. Cannot merge [java.lang.Boolean] with [java.lang.String]];)

As the error indicates, AWS Cognito returns the value for the email_verified claim as a boolean in the ID Token and as a string in the Userinfo response. We consider the same claim with different value types to be an error as there is no way for us to know whether this is supposed to be a boolean or a string and thus we fail the login flow.

I suggest you open a support ticket with AWS to report their behavior, I dont think there is a reason to not fix this on their side.

In the meantime, you can probably just comment out the op.userinfo_endpoint in your elasticsearch configuration, assuming all the claims you want are already in the ID Token


To be clear the correct type is the one in the ID Token, as the email_verified claim is defined to be boolean in the specification