Configuring AWS Cognito for OAuth in Apps

I am trying to use AWS Cognito as my access provider for a Cloudflare App. I have verified the my keys and believe I have pasted the correct URLs to the Cloudflare Service definition. AWS pops this error: An error was encountered with the requested page.

Auth URL: https://jsguardian.auth.us-east-2.amazoncognito.com/oauth2/authorize
Scopes: openid email phone
Token URL: https://jsguardian.auth.us-east-2.amazoncognito.com/oauth2/token

Anyone out there successfully configured an app to work with Cognito. The only other forum question on this was in 2018 and went unanswered.

I have looked at the URL Cloudflare is generating:

https://jsguardian.auth.us-east-2.amazoncognito.com/oauth2/?scope=openid%20email%20phone&response_type=code&redirect_uri=https%3A%2F%2Fwww.cloudflare.com%2Fapps%2Foauth%2F&client_id=<client_id>&user.email=syblackwell%40anywhichway.com

The Cognito login box does appear if I manually change it to
https://jsguardian.auth.us-east-2.amazoncognito.com/oauth2/authorize/?scope=openid%20email%20phone&response_type=code&redirect_uri=https%3A%2F%2Fwww.cloudflare.com%2Fapps%2Foauth%2F&client_id=<client_id>&user.email=syblackwell%40anywhichway.com

Is this perhaps a Cloudflare bug?

I got this working so it’s not a bug,

make sure you’ve set up all fields correctly.

App ID and App Secret should be the ID and secret from Cognito

It looks like you haven’t set them up?

Also, you need to make sure you set up the certificate URL, which is:

https://cognito-idp.<REGION_NAME>.amazonaws.com/<USER_POOL_ID>/.well-known/jwks.json

Replacing region name and user pool id with your own.

Authorization code grant should be checked along with the scopes: email, profile and openid on Cognito.