Skip to main content

Amazon Cognito / Amplify

This article describes how to integrate an application, that uses AWS Amplify framework with our identity provider.

Prerequisites

Before you begin, you collect the following information. Feel free to enter the values into the text boxes. The instructions will reflect your custom values.

  • A Cognito user pool with an application client.

  • A user pool domain.

If you are using the Amplify framework, then this user pool was already created for you. For more information, see Create a user pool.

Create an Application

Before you create the OIDC federation with Amazon Cognito, you must register an application to receive a client ID and client secret.

  • Go to https://admin.emddigital.com/applications and click on Create Application

  • Register your user pool domain URL with the /oauth2/idpresponse endpoint as the Callback URL.

    https://<your-user-pool-domain>/oauth2/idpresponse

  • Select your scopes. The scope openid is required. The email scope is needed to grant access to the email and email_verified claims. Additional claims are currently not supported.

  • Select Generate Client Secret to mark the client as a secret client.

A client ID and a client secret is generated for you. You'll use them when you set up OIDC federation in your user pool.

Add OIDC Federation to Your User Pool

In this section, you configure your user pool to process OIDC-based authentication requests from an OIDC IdP.

To add OIDC Federation:

  1. Go to the Amazon Cognito console.

  2. Manage User Pools.

  3. Choose an existing user pool from the list, or create a user pool.

  4. On the left navigation bar, choose Identity providers.

  5. Choose OpenId Connect.

  6. Type a unique name into Provider name.

  7. Type the client ID from the previous section into Client ID.

  8. Type the client secret from the previous section into Client secret.

  9. In the drop-down list, choose the GET HTTP method that's used to fetch the details of the user from the userinfo endpoint into Attributes request method.

  10. Type openid email as the names of the scopes that you want to authorize. Scopes define which user attributes that you want to access with your application. Scopes are separated by spaces, according to the OAuth 2.0 specification.

  11. Type https://login.emddigital.com and choose Run discovery.

  12. Choose Create provider.

  13. On the left navigation bar, choose App client settings.

  14. Select the OIDC provider that you set up in the previous step as one of the Enabled Identity Providers.

  15. Copy the Redirect URL so that you can test the login flow later.

  1. Choose Save changes.

  2. On the Attribute mapping tab on the left navigation bar, add mappings of OIDC claims to user pool attributes.

    1. As a default, the OIDC claim sub is mapped to the user pool attribute Username. You can map other OIDC claims to user pool attributes. Type in the OIDC claim, and choose the corresponding user pool attribute from the drop-down list. For example, the claim email is often mapped to the user pool attribute Email.

    2. In the drop-down list, choose the destination user pool attribute.

    3. Choose Save changes.

Test Your OIDC IdP Configuration

You can create the authorization URL by using the elements from the previous two sections, and using them to test your OIDC IdP configuration.

https://<your-user-pool-domain>/oauth2/authorize?response_type=code&client_id=&redirect_uri=

This is the URL of the page where your user will be redirected after a successful authentication.