Using the Amazon Cognito domain for the hosted UI
The default experience for the hosted UI and authorization server is hosted on a domain that AWS owns. This approach has a low barrier to entry—choose a prefix name and it's active—but doesn't have the trust-inspiring features of a custom domain. There isn't a cost difference between the Amazon Cognito domain option and the custom domain option. The only difference is the domain in the web address that you direct your users to. For cases of third-party IdP redirects and client-credentials flows, the hosted domain has little visible effect. A custom domain is better for cases where your users sign in with the hosted UI and would interact with a authentication domain that doesn't match the application domain.
The hosted Amazon Cognito domain has a prefix of your choosing, but is hosted at the root domain
amazoncognito.com
. The following is an example:
https://
cognitoexample
.auth.ap-south-1
.amazoncognito.com
All hosted UI prefix domains follow this format:
.prefix
auth
.
.AWS Region
code
amazoncognito
.com
. Custom domain user pools can host
the hosted UI on any domain that you own.
Note
To augment the security of your Amazon Cognito applications, the parent domains of user pool
endpoints are registered in the Public Suffix
List (PSL)
User pool endpoint parent domains take the following formats.
auth.
Region
.amazoncognito.com auth-fips.Region
.amazoncognito.com
To add an app client and an Amazon Cognito hosted domain with the AWS Management Console, see Creating an app client.
Prerequisites
Before you begin, you need:
-
A user pool with an app client. For more information, see Getting started with user pools.
Configure an Amazon Cognito domain prefix
You can use either the AWS Management Console or the AWS CLI or API to configure a user pool domain.
Verify your sign-in page
-
Verify that the sign-in page is available from your Amazon Cognito hosted domain.
https://
<your_domain>
/login?response_type=code&client_id=<your_app_client_id>
&redirect_uri=<your_callback_url>
Your domain is shown on the Domain name page of the Amazon Cognito console. Your app client ID and callback URL are shown on the App client settings page.