topic Re: Cognito as IdP provider for Delta Share in Data Engineering https://community.databricks.com/t5/data-engineering/cognito-as-idp-provider-for-delta-share/m-p/127394#M47948 <P>We managed to figure how to make machine to machine authentication to work.<BR />when you setup cognito pool for m2m scenario you add App Client<BR />and then set App Client as both `sub` and Audience in databricks recepient OIDC Policy:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="pogo_0-1754351423709.png" style="width: 400px;"><img src="https://community.databricks.com/t5/image/serverpage/image-id/18725iF12DAC6E09E4C403/image-size/medium?v=v2&amp;px=400" role="button" title="pogo_0-1754351423709.png" alt="pogo_0-1754351423709.png" /></span></P><P>2. Set `aud` claim to the app client_id in cognito generated access token using a `pre token generation` lambda (cognito pool -&gt; extensions -&gt; Lambda Triggers -&gt; Authentication -&gt; Pre token generation -&gt; select v3 event type)</P><LI-CODE lang="python">def lambda_handler(event, context): if event['triggerSource'] == "TokenGeneration_ClientCredentials": # Override the 'aud' claim print("overriding aud claim") event['response'] = { "claimsAndScopeOverrideDetails": { "accessTokenGeneration": { "claimsToAddOrOverride": { "aud": "54m...." } } } } # Return to Amazon Cognito return event</LI-CODE><P>&nbsp;</P> Mon, 04 Aug 2025 23:56:18 GMT pogo 2025-08-04T23:56:18Z Cognito as IdP provider for Delta Share https://community.databricks.com/t5/data-engineering/cognito-as-idp-provider-for-delta-share/m-p/127385#M47943 <P>I am trying to setup a delta sharing Recipient using OIDC Federation with the Issuer URL being cognito idp endpoint.</P><P>Are there any examples, other than EntraID, for the values of Subject Claim/Subject/Audiences in the OIDC Policy for Cognito or Google?</P><P>&nbsp;</P> Mon, 04 Aug 2025 21:30:42 GMT https://community.databricks.com/t5/data-engineering/cognito-as-idp-provider-for-delta-share/m-p/127385#M47943 pogo 2025-08-04T21:30:42Z Re: Cognito as IdP provider for Delta Share https://community.databricks.com/t5/data-engineering/cognito-as-idp-provider-for-delta-share/m-p/127394#M47948 <P>We managed to figure how to make machine to machine authentication to work.<BR />when you setup cognito pool for m2m scenario you add App Client<BR />and then set App Client as both `sub` and Audience in databricks recepient OIDC Policy:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="pogo_0-1754351423709.png" style="width: 400px;"><img src="https://community.databricks.com/t5/image/serverpage/image-id/18725iF12DAC6E09E4C403/image-size/medium?v=v2&amp;px=400" role="button" title="pogo_0-1754351423709.png" alt="pogo_0-1754351423709.png" /></span></P><P>2. Set `aud` claim to the app client_id in cognito generated access token using a `pre token generation` lambda (cognito pool -&gt; extensions -&gt; Lambda Triggers -&gt; Authentication -&gt; Pre token generation -&gt; select v3 event type)</P><LI-CODE lang="python">def lambda_handler(event, context): if event['triggerSource'] == "TokenGeneration_ClientCredentials": # Override the 'aud' claim print("overriding aud claim") event['response'] = { "claimsAndScopeOverrideDetails": { "accessTokenGeneration": { "claimsToAddOrOverride": { "aud": "54m...." } } } } # Return to Amazon Cognito return event</LI-CODE><P>&nbsp;</P> Mon, 04 Aug 2025 23:56:18 GMT https://community.databricks.com/t5/data-engineering/cognito-as-idp-provider-for-delta-share/m-p/127394#M47948 pogo 2025-08-04T23:56:18Z