Menu
Amazon Cognito
Developer Guide

Step 3. Add Social Sign-in to a User Pool (Optional)

You can enable your app users to sign in through a social identity provider (IdP) such as Facebook, Google, and Login with Amazon. Whether your users sign in directly or through a third party, all users have a profile in the user pool. Skip this step if you don't want to add sign in through a social sign-in identity provider.

Step 1: Register with a Social IdP

Before you create a social IdP with Amazon Cognito, you must register your application with the social IdP to receive a client ID and client secret.

To register an app with Facebook
  1. Create a developer account with Facebook.

  2. Sign in with your Facebook credentials.

  3. From the My Apps menu, choose Create New App.

  4. Give your Facebook app a name and choose Create App ID.

  5. On the left navigation bar, choose Settings and then Basic.

  6. Note the App ID and the App Secret. You will use them in the next section.

  7. Choose + Add Platform from the bottom of the page.

  8. Choose Website.

  9. Under Website, type your user pool domain with the /oauth2/idpresponse endpoint into Site URL.

    https://<your-user-pool-domain>/oauth2/idpresponse
  10. Choose Save changes.

  11. Type your user pool domain into App Domains.

    https://<your-user-pool-domain>
  12. Choose Save changes.

  13. From the navigation bar choose Products and then Set up from Facebook Login.

  14. From the navigation bar choose Facebook Login and then Settings.

    Type your redirect URL into Valid OAuth Redirect URIs. It will consist of your user pool domain with the /oauth2/idpresponse endpoint.

    https://<your-user-pool-domain>/oauth2/idpresponse
  15. Choose Save changes.

To register an app with Amazon
  1. Create a developer account with Amazon.

  2. Sign in with your Amazon credentials.

  3. You need to create an Amazon security profile to receive the Amazon client ID and client secret.

    Choose Apps and Services from navigation bar at the top of the page and then choose Login with Amazon.

  4. Choose Create a Security Profile.

  5. Type in a Security Profile Name, a Security Profile Description, and a Consent Privacy Notice URL.

  6. Choose Save.

  7. Choose Client ID and Client Secret to show the client ID and secret. You will use them in the next section.

  8. Hover over the gear and choose Web Settings, and then choose Edit.

  9. Type your user pool domain into Allowed Origins.

    https://<your-user-pool-domain>
  10. Type your user pool domain with the /oauth2/idpresponse endpoint into Allowed Return URLs.

    https://<your-user-pool-domain>/oauth2/idpresponse
  11. Choose Save.

To register an app with Google
  1. Create a developer account with Google.

  2. Sign in with your Google credentials.

  3. Choose CONFIGURE A PROJECT.

  4. Type in a project name and choose NEXT.

  5. Type in your product name and choose NEXT.

  6. Choose Web browser from the Where are you calling from? drop-down list.

  7. Type your user pool domain into Authorized JavaScript origins.

    https://<your-user-pool-domain>
  8. Choose CREATE. You will not use the Client ID and Client Secret from this step.

  9. Choose DONE.

  10. Sign in to the Google Console.

  11. On the left navigation bar, choose Credentials.

  12. Create your OAuth 2.0 credentials by choosing OAuth client ID from the Create credentials drop-down list.

  13. Choose Web application.

  14. Type your user pool domain into Authorized JavaScript origins.

    https://<your-user-pool-domain>
  15. Type your user pool domain with the /oauth2/idpresponse endpoint into Authorized Redirect URIs.

    https://<your-user-pool-domain>/oauth2/idpresponse
  16. Choose Create twice.

  17. Note the OAuth client ID and client secret. You will need them for the next section.

  18. Choose OK.

Step 2: Add a Social IdP to Your User Pool

In this section, you configure a social IdP in your user pool using the client ID and client secret from the previous section.

To configure a user pool social identity provider with the AWS Management Console

  1. Go to the Amazon Cognito console. You might be prompted for your AWS credentials.

  2. Choose Manage your User Pools.

  3. Choose an existing user pool from the list, or create a user pool.

  4. On the left navigation bar, choose Identity providers.

  5. Choose a social identity provider: Facebook, Google, or Login with Amazon.

  6. Type the app client ID and app client secret that you received from the social identity provider in the previous section.

  7. Type the names of the scopes that you want to authorize. Scopes define which user attributes (such as name and email) you want to access with your app. For Facebook, these should be separated by commas. For Google and Login with Amazon, they should be separated by spaces.

    Social identity provider Example scopes
    Facebook public_profile, email
    Google profile email openid
    Login with Amazon profile postal_code

    Your app user is asked to consent to providing these attributes to your app. For more information about their scopes, see the documentation from Google, Facebook, and Login with Amazon.

  8. Choose Enable for the social identity provider that you're configuring.

  9. Choose App client settings from the navigation bar.

  10. Select your social identity provider as one of the Enabled Identity Providers for your user pool app.

  11. Type your callback URL into Callback URL(s) for your user pool app. This is the URL of the page where your user will be redirected after a successful sign-in.

    https://www.example.com
  12. Choose Save changes.

  13. On the Attribute mapping tab, add mappings for at least the required attributes, typically email, as follows:

    1. Select the check box to choose the Facebook, Google, or Amazon attribute name. You can also type the names of additional attributes that aren't listed in the Amazon Cognito console.

    2. Choose the destination user pool attribute from the drop-down list.

    3. Choose Save changes.

    4. Choose Go to summary.

Step 3: Test Your Social IdP Configuration

You can create a login URL by using the elements from the previous two sections. Use it to test your social IdP configuration.

https://your_user_pool_domain/login?response_type=code&client_id=your_client_id&redirect_uri=https://www.example.com

You can find your domain on the user pool Domain name console page. The client_id is on the App client settings page. Use your callback URL for the redirect_uri parameter. The callback URL address will be different from your user pool domain.

Next Step

Step 4. Add Sign-in with a SAML Identity Provider to a User Pool (Optional)