Login with Amazon (identity pools) - Amazon Cognito

Login with Amazon (identity pools)

Amazon Cognito integrates with Login with Amazon to provide federated authentication for your mobile and web app users. This section explains how to register and set up your application with Login with Amazon as an identity provider (IdP).

Set up Login with Amazon to work with Amazon Cognito in the Developer Portal. For more information, see Setting Up Login with Amazon in the Login with Amazon FAQ.


To integrate Login with Amazon into a Xamarin application, follow the Xamarin Getting Started Guide.


You can't natively integrate Login with Amazon on the Unity platform. Instead, use a web view and go through the browser sign-in flow.

Setting up Login with Amazon

Implement Login with Amazon

In the Amazon developer portal, you can set up an OAuth application to integrate with your identity pool, find Login with Amazon documentation, and download SDKs. Choose Developer console, then Login with Amazon in the developer portal. You can create a security profile for your application and then build Login with Amazon authentication mechanisms into your app. See Getting credentials for more information about how to integrate Login with Amazon authentication with your app.

Amazon issues an OAuth 2.0 client ID for your new security profile. You can find the client ID on the security profile Web Settings tab. Enter the client ID in the Amazon App ID field of the Login with Amazon IdP in your identity pool.

Configure the external provider in the Amazon Cognito console

New console
To add a Login with Amazon identity provider (IdP)
  1. Choose Identity pools from the Amazon Cognito console. Select an identity pool.

  2. Choose the User access tab.

  3. Select Add identity provider.

  4. Choose Login with Amazon.

  5. Enter the App ID of the OAuth project that you created at Login with Amazon. For more information, see Login with Amazon Documentation.

  6. To set the role that Amazon Cognito requests when it issues credentials to users who have authenticated with this provider, configure Role settings.

    1. You can assign users from that IdP the Default role that you set up when you configured your Authenticated role, or you can Choose role with rules.

      1. If you chose Choose role with rules, enter the source Claim from your user's authentication, the Operator that you want to compare the claim by, the Value that will cause a match to this role choice, and the Role that you want to assign when the Role assignment matches. Select Add another to create an additional rule based on a different condition.

      2. Choose a Role resolution. When your user's claims don't match your rules, you can deny credentials or issue credentials for your Authenticated role.

  7. To change the principal tags that Amazon Cognito assigns when it issues credentials to users who have authenticated with this provider, configure Attributes for access control.

    1. To apply no principal tags, choose Inactive.

    2. To apply principal tags based on sub and aud claims, choose Use default mappings.

    3. To create your own custom schema of attributes to principal tags, choose Use custom mappings. Then enter a Tag key that you want to source from each Claim that you want to represent in a tag.

  8. Select Save changes.

Original console

Choose Manage Identity Pools from the Amazon Cognito console home page:

  1. Choose the name of the identity pool where you want to enable Login with Amazon as an external provider. The Dashboard page for your identity pool appears.

  2. In the top-right corner of the Dashboard page, choose Edit identity pool. The Edit identity pool page appears.

  3. Scroll down and choose Authentication providers to expand the section.

  4. Choose the Amazon tab.

  5. Choose Unlock.

  6. Enter the Amazon App ID that you obtained from Amazon, and then choose Save Changes.

Use Login with Amazon: Android

After you authenticate Amazon login, you can pass the token to the Amazon Cognito credentials provider in the onSuccess method of the TokenListener interface. The code looks like this:

@Override public void onSuccess(Bundle response) { String token = response.getString(AuthzConstants.BUNDLE_KEY.TOKEN.val); Map<String, String> logins = new HashMap<String, String>(); logins.put("www.amazon.com", token); credentialsProvider.setLogins(logins); }

Use Login with Amazon: iOS - Objective-C

After you authenticate Amazon login, you can pass the token to the Amazon Cognito credentials provider in the requestDidSucceed method of the AMZNAccessTokenDelegate:

- (void)requestDidSucceed:(APIResult \*)apiResult { if (apiResult.api == kAPIAuthorizeUser) { [AIMobileLib getAccessTokenForScopes:[NSArray arrayWithObject:@"profile"] withOverrideParams:nil delegate:self]; } else if (apiResult.api == kAPIGetAccessToken) { credentialsProvider.logins = @{ @(AWSCognitoLoginProviderKeyLoginWithAmazon): apiResult.result }; } }}

Use Login with Amazon: iOS - Swift

After you authenticate Amazon login, you can pass the token to the Amazon Cognito credentials provider in the requestDidSucceed method of the AMZNAccessTokenDelegate:

func requestDidSucceed(apiResult: APIResult!) { if apiResult.api == API.AuthorizeUser { AIMobileLib.getAccessTokenForScopes(["profile"], withOverrideParams: nil, delegate: self) } else if apiResult.api == API.GetAccessToken { credentialsProvider.logins = [AWSCognitoLoginProviderKey.LoginWithAmazon.rawValue: apiResult.result] } }

Use Login with Amazon: JavaScript

After the user authenticates with Login with Amazon and is redirected back to your website, the Login with Amazon access_token is provided in the query string. Pass that token into the credentials login map.

AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'IDENTITY_POOL_ID', Logins: { 'www.amazon.com': 'Amazon Access Token' } });

Use Login with Amazon: Xamarin

Xamarin for Android

AmazonAuthorizationManager manager = new AmazonAuthorizationManager(this, Bundle.Empty); var tokenListener = new APIListener { Success = response => { // Get the auth token var token = response.GetString(AuthzConstants.BUNDLE_KEY.Token.Val); credentials.AddLogin("www.amazon.com", token); } }; // Try and get existing login manager.GetToken(new[] { "profile" }, tokenListener);

Xamarin for iOS

In AppDelegate.cs, insert the following:

public override bool OpenUrl (UIApplication application, NSUrl url, string sourceApplication, NSObject annotation) { // Pass on the url to the SDK to parse authorization code from the url bool isValidRedirectSignInURL = AIMobileLib.HandleOpenUrl (url, sourceApplication); if(!isValidRedirectSignInURL) return false; // App may also want to handle url return true; }

Then, in ViewController.cs, do the following:

public override void ViewDidLoad () { base.LoadView (); // Here we create the Amazon Login Button btnLogin = UIButton.FromType (UIButtonType.RoundedRect); btnLogin.Frame = new RectangleF (55, 206, 209, 48); btnLogin.SetTitle ("Login using Amazon", UIControlState.Normal); btnLogin.TouchUpInside += (sender, e) => { AIMobileLib.AuthorizeUser (new [] { "profile"}, new AMZNAuthorizationDelegate ()); }; View.AddSubview (btnLogin); } // Class that handles Authentication Success/Failure public class AMZNAuthorizationDelegate : AIAuthenticationDelegate { public override void RequestDidSucceed(ApiResult apiResult) { // Your code after the user authorizes application for requested scopes var token = apiResult["access_token"]; credentials.AddLogin("www.amazon.com",token); } public override void RequestDidFail(ApiError errorResponse) { // Your code when the authorization fails InvokeOnMainThread(() => new UIAlertView("User Authorization Failed", errorResponse.Error.Message, null, "Ok", null).Show()); } }