Add social sign-in to a user pool (optional) - Amazon Cognito

Add social sign-in to a user pool (optional)

You can enable your app users to sign in through a social identity provider (IdP) such as Facebook, Google, Amazon, and Apple. Whether your users sign in directly or through a third party, all users have a profile in the user pool. Skip this step if you don't want to add sign in through a social sign-in identity provider.

Register with a social IdP

Before you create a social IdP with Amazon Cognito, you must register your application with the social IdP to receive a client ID and client secret.

  1. Create a developer account with Facebook.

  2. Sign in with your Facebook credentials.

  3. From the My Apps menu, choose Create New App.

    If you do not have an existing Facebook app, you will see a different option, choose Create App.

  4. On the Create an app page, choose a use case for your app, and then choose Next.

  5. Enter a name for your Facebook app and choose Create App.

  6. On the left navigation bar, choose App Settings, and then choose Basic.

  7. Note the App ID and the App Secret. You will use them in the next section.

  8. Choose + Add platform from the bottom of the page.

  9. On the Select Platform screen, select your platforms, and then choose Next

  10. Choose Save changes.

  11. For App Domains, enter your user pool domain.

    https://your_user_pool_domain
  12. Choose Save changes.

  13. From the navigation bar, choose Products, and then Configure from Facebook Login.

  14. From the Facebook Login Configure menu, choose Settings.

    Enter your redirect URL into Valid OAuth Redirect URIs. The redirect URL will consist of your user pool domain with the /oauth2/idpresponse endpoint.

    https://your_user_pool_domain/oauth2/idpresponse
  15. Choose Save changes.

  1. Create a developer account with Amazon.

  2. Sign in with your Amazon credentials.

  3. You need to create an Amazon security profile to receive the Amazon client ID and client secret.

    Choose Apps and Services from navigation bar at the top of the page and then choose Login with Amazon.

  4. Choose Create a Security Profile.

  5. Enter a Security Profile Name, a Security Profile Description, and a Consent Privacy Notice URL.

  6. Choose Save.

  7. Choose Client ID and Client Secret to show the client ID and secret. You will use them in the next section.

  8. Hover over the gear icon and choose Web Settings, and then choose Edit.

  9. Enter your user pool domain into Allowed Origins.

    https://<your-user-pool-domain>
  10. Enter your user pool domain with the /oauth2/idpresponse endpoint into Allowed Return URLs.

    https://<your-user-pool-domain>/oauth2/idpresponse
  11. Choose Save.

For more information about OAuth 2.0 in the Google Cloud platform, see Learn about authentication & authorization in the Google Workspace for Developers documentation.

  1. Create a developer account with Google.

  2. Sign in to the Google Cloud Platform console.

  3. From the top navigation bar, choose Select a project. If you already have a project in the Google platform, this menu displays your default project instead.

  4. Select NEW PROJECT.

  5. Enter a name for your product and then choose CREATE.

  6. On the left navigation bar, choose APIs and Services, then Oauth consent screen.

  7. Enter App information, an App domain, Authorized domains, and Developer contact information. Your Authorized domains must include amazoncognito.com and the root of your custom domain, for example example.com. Choose SAVE AND CONTINUE.

  8. 1. Under Scopes, choose Add or remove scopes, and choose, at minimum, the following OAuth scopes.

    1. .../auth/userinfo.email

    2. .../auth/userinfo.profile

    3. openid

  9. Under Test users, choose Add users. Enter your email address and any other authorized test users, then choose SAVE AND CONTINUE.

  10. Expand the left navigation bar again, and choose APIs and Services, then Credentials.

  11. Choose CREATE CREDENTIALS, then OAuth client ID.

  12. Choose an Application type and give your client a Name.

  13. Under Authorized JavaScript origins, choose ADD URI. Enter your user pool domain.

    https://<your-user-pool-domain>
  14. Under Authorized redirect URIs, choose ADD URI. Enter the path to the /oauth2/idpresponse endpoint of your user pool domain.

    https://<your-user-pool-domain>/oauth2/idpresponse
  15. Choose CREATE.

  16. Securely store the values that Google displays under Your client ID and Your client secret. Provide these values to Amazon Cognito when you add a Google IdP.

For more information about setting up Sign in with Apple, see Configuring Your Environment for Sign in with Apple in the Apple Developer documentation.

  1. Create a developer account with Apple.

  2. Sign in with your Apple credentials.

  3. On the left navigation bar, choose Certificates, Identifiers & Profiles.

  4. On the left navigation bar, choose Identifiers.

  5. On the Identifiers page, choose the + icon.

  6. On the Register a New Identifier page, choose App IDs, and then choose Continue.

  7. On the Select a type page, choose App, then choose Continue.

  8. On the Register an App ID page, do the following:

    1. Under Description, enter a description.

    2. Under App ID Prefix, enter a Bundle ID. Make a note of the value under App ID Prefix. You will use this value after you choose Apple as your identity provider in Step 2: Add a social IdP to your user pool.

    3. Under Capabilities, choose Sign In with Apple, and then choose Edit.

    4. On the Sign in with Apple: App ID Configuration page, choose to set up the app as either primary or grouped with other App IDs, and then choose Save.

    5. Choose Continue.

  9. On the Confirm your App ID page, choose Register.

  10. On the Identifiers page, choose the + icon.

  11. On the Register a New Identifier page, choose Services IDs, and then choose Continue.

  12. On the Register a Services ID page, do the following:

    1. Under Description, type a description.

    2. Under Identifier, type an identifier. Make a note of this Services ID as you will need this value after you choose Apple as your identity provider in Step 2: Add a social IdP to your user pool.

    3. Choose Continue, then Register.

  13. Choose the Services ID you just create from the Identifiers page.

    1. Select Sign In with Apple, and then choose Configure.

    2. On the Web Authentication Configuration page, select the app ID that you created earlier as the Primary App ID.

    3. Choose the + icon next to Website URLs.

    4. Under Domains and subdomains, enter your user pool domain without an https:// prefix.

      <your-user-pool-domain>
    5. Under Return URLs, enter the path to the /oauth2/idpresponse endpoint of your user pool domain.

      https://<your-user-pool-domain>/oauth2/idpresponse
    6. Choose Next, and then Done. You don't need to verify the domain.

    7. Choose Continue, and then choose Save.

  14. On the left navigation bar, choose Keys.

  15. On the Keys page, choose the + icon.

  16. On the Register a New Key page, do the following:

    1. Under Key Name, enter a key name.

    2. Choose Sign In with Apple, and then choose Configure.

    3. On the Configure Key page and select the app ID that you created earlier as the Primary App ID. Choose Save.

    4. Choose Continue, and then choose Register.

  17. On the Download Your Key page, choose Download to download the private key and note the Key ID shown, and then choose Done. You will need this private key and the Key ID value shown on this page after you choose Apple as your identity provider in Step 2: Add a social IdP to your user pool.

Add a social IdP to your user pool

In this section, you configure a social IdP in your user pool using the client ID and client secret from the previous section.

To configure a user pool social identity provider with the AWS Management Console
  1. Go to the Amazon Cognito console. You might be prompted for your AWS credentials.

  2. Choose User Pools.

  3. Choose an existing user pool from the list, or create a user pool.

  4. Choose the Sign-in experience tab. Locate Federated sign-in and select Add an identity provider.

  5. Choose a social identity provider: Facebook, Google, Login with Amazon, or Sign in with Apple.

  6. Choose from the following steps, based on your choice of social identity provider:

    • Google and Login with Amazon — Enter the app client ID and app client secret generated in the previous section.

    • Facebook — Enter the app client ID and app client secret generated in the previous section, and then choose an API version (for example, version 2.12). We recommend choosing the latest possible version, as each Facebook API has a lifecycle and deprecation date. Facebook scopes and attributes can vary between API versions. We recommend testing your social identity log in with Facebook to ensure that federation works as intended.

    • Sign in with Apple — Enter the Services ID, Team ID, Key ID, and private key generated in the previous section.

  7. Enter the names of the Authorized scopes you want to use. Scopes define which user attributes (such as name and email) you want to access with your app. For Facebook, these should be separated by commas. For Google and Login with Amazon, they should be separated by spaces. For Sign in with Apple, select the check boxes for the scopes you want access to.

    Social identity provider Example scopes
    Facebook public_profile, email
    Google profile email openid
    Login with Amazon profile postal_code
    Sign in with Apple email name

    Your app user is prompted to consent to providing these attributes to your app. For more information about social provider scopes, see the documentation from Google, Facebook, Login with Amazon, or Sign in with Apple.

    With Sign in with Apple, the following are user scenarios where scopes might not be returned:

    • An end user encounters failures after leaving Apple’s sign in page (can be from Internal failures within Amazon Cognito or anything written by the developer)

    • The service ID identifier is used across user pools and/or other authentication services

    • A developer adds additional scopes after the user signs in. Users only retrieve new information when they authenticate and when they refresh their tokens.

    • A developer deletes the user and then the user signs in again without removing the app from their Apple ID profile

  8. Map attributes from your identity provider to your user pool. For more information, see Specifying Identity Provider Attribute Mappings for Your User Pool.

  9. Choose Create.

  10. From the App client integration tab, choose one of the App clients in the list and Edit hosted UI settings. Add the new social identity provider to the app client under Identity providers.

  11. Choose Save changes.

Test your social IdP configuration

You can create a login URL by using the elements from the previous two sections. Use it to test your social IdP configuration.

https://mydomain.us-east-1.amazoncognito.com/login?response_type=code&client_id=1example23456789&redirect_uri=https://www.example.com

You can find your domain on the user pool Domain name console page. The client_id is on the App client settings page. Use your callback URL for the redirect_uri parameter. This is the URL of the page where your user will be redirected after a successful authentication.

Note

Amazon Cognito cancels authentication requests that do not complete within 5 minutes, and redirects the user to the hosted UI. The page displays a Something went wrong error message.

Next step

Add sign-in with a SAML identity provider to a user pool (optional)