CallbackRouteError on SSO login (Azure/Entra) via Cognito Hosted UI — works for email/password

[jharman-amergis]

Hello community,

I’m using NextAuth with the Cognito provider.
• Regular Cognito login (email/password) works fine.
• SSO login via Cognito Hosted UI (federated with Azure/Entra) fails at the callback with a CallbackRouteError (no NextAuth callbacks are triggered).

What I’ve tried:
• Callback URIs and OAuth scopes (openid, email, profile) are correct.
• Cognito attribute mapping for email, name etc. looks fine.
• Multiple Azure users tested.

Has anyone gotten this exact setup working? Thank you, greatly appreciate any guidance.

[jharman-amergis]

FIX: We discovered a nonce was issued on the first SSO authorization flow through Cognito and we had to update the provider declaration to include the nonce check. The associated PR we used to discover this fix is here:
#4100

Related discussion:
#3551

The exact fix was to add the nonce check:
Cognito({ checks: ['nonce'], authorization: { ...