Adding Battle.Net as an OIDC Provider in AWS Cognito

API Discussion

I'm playing with setting up AWS Cognito as a user pool for my WoW community app (

It's super easy to add external auth providers such as Facebook, Google, and Amazon. However, I'd much prefer to allow users to log-in via Battle.Net.

While I know that the Battle.Net OAuth2 API doesn't strictly support OpenID (as far as I can tell), it looks like most of the pieces are there:

The only missing piece is the "Jwks uri". In that screenshot, I've supplied a fake one that I setup just so that the JSON structure matches. When using this provider to sign-in, I get most of the way through the process, but then AWS Cognito throws the error:

invalid_token_signature: Could not match the desired key identifier within the list of keys

Which is obviously because my fake JWKS URI doesn't have the correct public key! I know that access tokens can be verified via the /oauth/check_token endpoint, but I can't utilise that unless I want to write my authentication from scratch (which is what I'm trying to avoid!).

If the token signing uses public/private keys, is there a possibility that the public key could be exposed following the usual OpenID standard: ?

Or, has anyone had any luck integrating Battle.Net as an Identity Provider in AWS Cognito?

Thanks for any help available!

Hey Yax,

Any luck on this one? Just stumbled on your post and I'm trying to do the exact same thing as you here.

Hey Yax and rich!

As it turns out, our OAuth documentation is a bit out of date. We are working on updating the documentation, but we do not have an ETA at this time.

The OAuth Provider supports the OpenID Connect specification. We implement RFC 5785, which describes how you can use the well-known endpoint. This standard discovery endpoint provides a convenient way to obtain the configuration of the OAuth Provider. To list them out for all regions:

OpenID Configuration Endpoints

For more information on how to use this endpoint, you can visit this RFC or take a look at this guide on the Connect2id website.

In order to fully use OpenID Connect (OIDC), you must request the openid scope for your clients, which will add an additional id_token field to the JSON response from the OAuth Provider token endpoint. The id_token field is JWT encoded and signed with the server private key. The Blizzard OAuth Provider has a public key (JSON Web Key Set, or JWKS) endpoint which returns a list of public keys that can be used to verify that the id_token was signed from the OAuth server.

The JWKS endpoints are returned from the OpenID Configuration endpoints listed above, but for completeness:

JWKS Endpoints

I hope that covers it! If you have any other questions, let us know. ^_^

Join the Conversation

Return to Forum