Menu
Amazon Cognito
Developer Guide (Version Last Updated: 07/28/2016)

Specifying Identity Provider Settings for Your User Pool App

You can use the AWS Management Console, or the AWS CLI or API, to set up an identity provider for your user pool's existing app client. Or you can specify the identity provider settings when you create a new app client.

About App Identity Settings

Choose the following app client settings:

Enabled Identity Providers

Before you can use an identity provider in your app client, you need to enable it first. You can enable more than one identity provider for an app, but you must enable at least one.

Callback URL(s)

A callback URL specifies where the user is to be redirected upon successful sign-in. You must specify at least one callback URL.

Note

This URL must match the app_redirect value that you specify in your app.

Sign out URL(s)

A sign-out URL specifies where the user is to be redirected when he or she signs out. You must specify at least one sign-out URL.

Allowed OAuth Flows

The Authorization code grant flow initiates a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the TOKEN Endpoint.

Note

For security reasons, we highly recommend that you use only the Authorization code grant flow, together with PKCE, for mobile apps.

The Implicit grant flow allows the client to get the access token (and, optionally, ID token, based on scopes) directly from the AUTHORIZATION Endpoint. Choose this flow if your app cannot initiate the Authorization code grant flow. For more information, see the OAuth 2.0 specification.

The Client credentials flow is used when the client requests an access token to access its own resources. Use this flow when your app is requesting the token on its own behalf, not on behalf of a user.

Allowed OAuth Scopes

Choose one or more of the following OAuth scopes to specify the access privileges that can be requested for access tokens.

  • The phone scope grants access to the phone_number and phone_number_verified claims. This scope can only be requested with the openid scope.

  • The email scope grants access to the email and email_verified claims. This scope can only be requested with the openid scope.

  • The openid scope returns all user attributes in the ID token that are readable by the client. The ID token is not returned if the openid scope is not requested by the client.

  • The aws.cognito.signin.user.admin scope grants access to Amazon Cognito User Pool API operations that require access tokens, such as UpdateUserAttributes and VerifyUserAttribute.

  • The profile scope grants access to all user attributes that are readable by the client.

Allowed Custom Scopes

A custom scope is one that you define for your own resource server in the Resource Servers tab. The format is resource-server-identifier/scope.

For more information about OAuth scopes, see the list of standard OIDC scopes.

Specifying App Identity Provider Settings for Your User Pool (AWS Management Console)

You can use the AWS Management Console to specify app identity provider (IdP) settings for your user pool. You must specify at least one IdP per app.

To specify app identity provider settings

  1. Sign in to the Amazon Cognito console.

  2. In the navigation pane, choose Manage your User Pools, and choose the user pool you want to edit.

  3. Choose the App client settings tab.

  4. In Enabled Identity Providers, select the identity provider to be enabled for the app client that you previously configured in the App clients tab.

  5. In the Sign in and sign out URLs section, enter the Callback URLs you want to use, separated by commas.

    Note

    You must register the URLs, either in the console or by using the CLI or API, before you can use them in your app.

  6. Enter the Sign out URLs you want to use, separated by commas.

    Note

    You must register the URLs, either in the console or by using the CLI or API, before you can use them in your app.

  7. Under OAuth 2.0, select from the following options:

    • For Allowed OAuth Flows, select Authorized code grant and Implicit grant.

    • For Allowed OAuth Scopes, select the scopes you want. Each scope is a set of one or more standard attributes. For more information, see About App Identity Settings.

Specifying App Identity Provider Settings for Your User Pool (AWS CLI and AWS API)

Use the following commands to specify app identity provider settings for your user pool.

To add or change identity provider settings for your user pool's existing client app

  • AWS CLI: aws cognito-idp update-user-pool-client

    Example: update-user-pool-client --user-pool-id <user_pool_id> --client-id <client_id> --allowed-oauth-flows-user-pool-client true --allowed-oauth-scopes "code" "token" --allowed-oauth-scopes "openid" "cognito" --callback-urls https://example.com --supported-identity-providers ["saml_provider_1", "saml_provider_2"]

  • AWS API: UpdateUserPoolClient

To create a user pool client for your app and IdP

  • AWS CLI: aws cognito-idp create-user-pool-client

    Example: aws cognito-idp create-user-pool-client --user-pool-id <user_pool_id> --client-name myApp

  • AWS API: CreateUserPoolClient

To get information about your user pool's client app identity provider settings

  • AWS CLI: aws cognito-idp describe-user-pool-client

    Example: aws cognito-idp describe-user-pool-client --user-pool-id <user_pool_id> --client-id <client_id>

  • AWS API: DescribeUserPoolClient

To list information about all clients for your user pool

  • AWS CLI: aws cognito-idp list-user-pool-clients

    Example: aws cognito-idp list-user-pool-clients --user-pool-id <user_pool_id> --max-results 3

  • AWS API: ListUserPoolClients

To delete a user pool client

  • AWS CLI: aws cognito-idp delete-user-pool-client

    Example: aws cognito-idp delete-user-pool-client --user-pool-id <user_pool_id> --client-id <client_id>

  • AWS API: DeleteUserPoolClient