Menu
Amazon Cognito
Developer Guide (Version Last Updated: 07/28/2016)

Adding Social Identity Providers

You can add a social identity provider (such as Facebook, Google, or Login with Amazon) as an identity provider in the AWS Management Console, or with Amazon Cognito CLI or Amazon Cognito API calls.

When you add a social identity provider, you specify authorization scopes for requesting permission to access user information in the social networking site. The user must consent to sharing the requested scopes with your app, after authenticating to the identity provider. Amazon Cognito invokes only the identity provider's profile API, so only scopes that are valid for the profile API should be included in your authorization scopes.

Adding Facebook as an Identity Provider

  1. Create an app in the Facebook app site at https://developers.facebook.com/apps/ and note the app ID and app secret.

  2. Sign in to the Amazon Cognito console.

  3. In the navigation pane, choose Manage your User Pools, and choose the user pool you want to edit.

  4. Choose the Identity provider tab.

  5. Choose Facebook.

  6. For the Facebook app ID, enter the app ID that you received when you created your Facebook app.

  7. For App secret, enter the app secret that you received when you created your Facebook app.

  8. For Authorize scopes, enter the names of the Facebook scopes that you want to map to user pool attributes, separated by commas, for example, email,public_profile. For more information, see https://developers.facebook.com/docs/facebook-login/permissions/#reference-public_profile.

  9. Choose Update Facebook.

Add your Amazon Cognito User Pool domain URL https://your-user-pool-domain/ in the Facebook app's Settings (Basic), Website URL. This ensures that Facebook will accept the redirect URL supplied by Amazon Cognito when it authenticates users.

Adding Google as an Identity Provider

  1. Create an app in the Google API dashboard at https://console.developers.google.com/apis/dashboard.

  2. Create Credentials for the app in the Credentials section.

  3. Sign in to the Amazon Cognito console.

  4. In the navigation pane, choose Manage your User Pools, and choose the user pool you want to edit.

  5. Choose the Identity provider tab.

  6. Choose Google.

  7. For the Google app ID, enter the app ID that you received when you created your Google app.

  8. For App secret, enter the app secret that you received when you created your Google app.

  9. For Authorize scopes, enter the names of the Google scopes that you want to map to user pool attributes, separated by spaces, for example, openid email profile. For more information, see https://developers.facebook.com/docs/facebook-login/permissions/#reference-public_profile.

  10. Choose Update Google.

Enable the Google People API for your app by clicking the Enable API menu at the top of the Google APIs dashboard.

Developers must also add their Amazon Cognito User Pool domain URL https://your-user-pool-domain/oauth2/idpresponse in the Google app's Authorized redirect URIs (in the Credentials section). This ensures that Google will accept the redirect URL supplied by Amazon Cognito when it authenticates users. For more information, see https://developers.google.com/identity/protocols/OAuth2WebServer.

Adding Login with Amazon as an Identity Provider

  1. Create an app in the Login With Amazon App Console at http://login.amazon.com/manageApps. Note the client ID and client secret (shown in the Web Settings section).

  2. Sign in to the Amazon Cognito console.

  3. In the navigation pane, choose Manage your User Pools, and choose the user pool you want to edit.

  4. Choose the Identity provider tab.

  5. Choose Amazon.

  6. For the Amazon app ID, enter the app ID that you received when you created your Amazon app.

  7. For App secret, enter the app secret that you received when you created your Amazon app.

  8. For Authorize scopes, enter the names of the Login with Amazon scopes that you want to map to user pool attributes, separated by spaces, for example, profile postal_code.

  9. Choose Update Amazon.

Add your Amazon Cognito User Pool domain URL https://your-user-pool-domain/oauth2/idpresponse to the Login with Amazon app's Allowed Return URLs. This ensures that Login with Amazon will accept the redirect URL supplied by Amazon Cognito when it authenticates users. For more information, see http://login.amazon.com/website.

Adding Social Identity Providers (AWS Management Console)

You can use the AWS Management Console to specify attribute mappings for your user pool's identity providers.

To add a social identity provider

  1. Sign in to the Amazon Cognito console.

  2. In the navigation pane, choose Manage your User Pools, and choose the user pool you want to edit.

  3. Choose the Identity providers tab.

  4. Choose a social identity provider such as Facebook, Google, or Amazon.

  5. For the Facebook (or Google or Amazon) app ID, enter the app ID that you received when you created your Facebook, Google, or Login with Amazon client app.

  6. For App secret, enter the app secret that you received when you created your client app.

  7. For Authorize scopes, enter the names of the social identity provider scopes, such as email, that you want to map to user pool attributes.

  8. Choose Update Facebook (or Update Google or Update Amazon).