Using the Amazon Cognito domain for the hosted UI - Amazon Cognito

Using the Amazon Cognito domain for the hosted UI

The default experience for the hosted UI and authorization server is hosted on a domain that AWS owns. This approach has a low barrier to entry—choose a prefix name and it's active—but doesn't have the trust-inspiring features of a custom domain. There isn't a cost difference between the Amazon Cognito domain option and the custom domain option. The only difference is the domain in the web address that you direct your users to. For cases of third-party IdP redirects and client-credentials flows, the hosted domain has little visible effect. A custom domain is better for cases where your users sign in with the hosted UI and would interact with a authentication domain that doesn't match the application domain.

The hosted Amazon Cognito domain has a prefix of your choosing, but is hosted at the root domain amazoncognito.com. The following is an example:

https://cognitoexample.auth.ap-south-1.amazoncognito.com

All hosted UI prefix domains follow this format: prefix.auth.AWS Region code.amazoncognito.com. Custom domain user pools can host the hosted UI on any domain that you own.

Note

To augment the security of your Amazon Cognito applications, the parent domains of user pool endpoints are registered in the Public Suffix List (PSL). The PSL helps your users' web browsers establish a consistent understanding of your user pool endpoints and the cookies they set.

User pool endpoint parent domains take the following formats.

auth.Region.amazoncognito.com auth-fips.Region.amazoncognito.com

To add an app client and an Amazon Cognito hosted domain with the AWS Management Console, see Creating an app client.

Prerequisites

Before you begin, you need:

Configure an Amazon Cognito domain prefix

You can use either the AWS Management Console or the AWS CLI or API to configure a user pool domain.

Amazon Cognito console
Configure a domain
  1. Navigate to the App integration tab for your user pool.

  2. Next to Domain, choose Actions and select Create custom domain or Create Amazon Cognito domain. If you have already configured a user pool domain, choose Delete Amazon Cognito domain or Delete custom domain before creating your new custom domain.

  3. Enter an available domain prefix to use with a Amazon Cognito domain. For information on setting up a Custom domain, see Using your own Domain for the hosted UI

  4. Choose Create.

CLI/API

Use the following commands to create a domain prefix and assign it to your user pool.

To configure a user pool domain
  • AWS CLI: aws cognito-idp create-user-pool-domain

    Example: aws cognito-idp create-user-pool-domain --user-pool-id <user_pool_id> --domain <domain_name>

  • AWS API: CreateUserPoolDomain

To get information about a domain
  • AWS CLI: aws cognito-idp describe-user-pool-domain

    Example: aws cognito-idp describe-user-pool-domain --domain <domain_name>

  • AWS API: DescribeUserPoolDomain

To delete a domain
  • AWS CLI: aws cognito-idp delete-user-pool-domain

    Example: aws cognito-idp delete-user-pool-domain --domain <domain_name>

  • AWS API: DeleteUserPoolDomain

Verify your sign-in page

  • Verify that the sign-in page is available from your Amazon Cognito hosted domain.

    https://<your_domain>/login?response_type=code&client_id=<your_app_client_id>&redirect_uri=<your_callback_url>

Your domain is shown on the Domain name page of the Amazon Cognito console. Your app client ID and callback URL are shown on the App client settings page.