AWS Documentation » Amazon Cognito » Developer Guide » Amazon Cognito User Pools » Getting Started with User Pools » Step 3. Add Social Sign-in to a User Pool (Optional)

Step 3. Add Social Sign-in to a User Pool (Optional)

You can enable your app users to sign in through a social identity provider (IdP) such as Facebook, Google, and Login with Amazon. Whether your users sign in directly or through a third party, all users have a profile in the user pool. Skip this step if you don't want to add sign in through a social sign-in identity provider.

Before you begin to add a social identity provider such as Facebook, Google, or Login with Amazon

1. Create a developer account with the identity provider.

   You can get started with these social identity provider links:

   • Google Identity Platform

   • Facebook for Developers

   • Login with Amazon

2. Register the app that you created in the user pool with the identity provider. The identity provider creates an app ID for you, and an app secret for your user pool app.

3. Configure those values in your user pool.

You need to configure your user pool domain or redirect URL with the identity provider. This ensures that the identity provider accepts the redirect URL that's supplied by Amazon Cognito when it authenticates users.

• For Google, add your Amazon Cognito user pool domain URL in the Google app's Authorized redirect URIs (in the Credentials section).

  
  https://<your-user-pool-domain>/oauth2/idpresponse
  

• For Facebook, add your Amazon Cognito user pool domain URL in the Facebook app's Settings (Basic), Website URL.

  
  https://<your-user-pool-domain>/
  

• For Login with Amazon, add your Amazon Cognito user pool domain URL to the Login with Amazon app's Allowed Return URLs.

  
  https://<your-user-pool-domain>/oauth2/idpresponse
  

To configure a social identity provider

1. Go to the Amazon Cognito console. You might be prompted for your AWS credentials.

2. Choose Manage your User Pools.

3. Choose an existing user pool from the list, or create a new user pool.

4. On the navigation bar on the left-side of the page, choose Identity providers.

5. Choose a social identity provider: Facebook, Google, or Login with Amazon.

6. Type the app ID and app secret that you received from the identity provider.

7. Type the names of the scopes that you want to authorize. Scopes define which user attributes (such as name and email) you want to access with your app. For Facebook, these should be separated by commas. For Google and Login with Amazon, they should be separated by spaces.

   Social identity provider	Example scopes
   Facebook	public_profile, email
   Google	profile email openid
   Login with Amazon	profile postal_code

   Your app user is asked to consent to providing these attributes to your app. For more information about their scopes, see the documentation from Google, Facebook, and Login with Amazon.

8. Choose Enable for the social identity provider that you're configuring.

9. On the Attribute mapping tab, add mappings for at least the required attributes, typically email, as follows:

   1. Select the check box to choose the Facebook, Google, or Amazon attribute name. You can also type the names of additional attributes that aren't listed in the Amazon Cognito console.

   2. Choose the destination user pool attribute from the drop-down list.

   3. Choose Save changes.

   4. Choose Go to summary.

For more information, see Adding Social Identity Providers.

Next Step

Step 4. Add Sign-in with a SAML Identity Provider to a User Pool (Optional)