I am trying to use the OpenID framework supported by Paypal to tie the credentials in with the AWS Cognito service.

If I compare the configuration from Salesforce

https://login.salesforce.com/.well-known/openid-configuration

to the configuration at Paypal

https://www.paypal.com/.well-known/openid-configuration

the Paypal configuration is missing the jwks_uri element which is a REQUIRED element of the OpenID Provider metadata per OIDC specification and AWS uses the keys at that URI to verify the id tokens.

Is there a different url I should be using for login with Paypal to work with OpenID?

Is there any other way to get Login with Paypal to work with the AWS Cognito service with works well with other OpenID providers?

Paypal is not OpenID Connect compliant:

• as you mention the Discovery document lacks required entries, but:
• the ID token is signed with a symmetric key this means that no JWKS URI is actually needed since no public/private keys are used (and publishing the symmetric key on that URI defeats the purpose)
• but apparently it is not the client secret that is used to sign the ID token as verification with that fails
• there's no sub claim in the ID token
• the exp claim is not set to an absolute timestamp but a relative timeout

Since Amazon Cognito works with OpenID Connect compliant providers, Paypal is not going to work.