Step 3. Add social sign-in to a user pool (optional)
You can enable your app users to sign in through a social identity provider (IdP) such as Facebook, Google, Amazon, and Apple. Whether your users sign in directly or through a third party, all users have a profile in the user pool. Skip this step if you don't want to add sign in through a social sign-in identity provider.
Step 1: Register with a social IdP
Before you create a social IdP with Amazon Cognito, you must register your application with the social IdP to receive a client ID and client secret.
-
Create a developer account with Facebook
. -
Sign in
with your Facebook credentials. -
From the My Apps menu, choose Create New App.
-
Enter a name for your Facebook app and choose Create App ID.
-
On the left navigation bar, choose Settings, and then choose Basic.
-
Note the App ID and the App Secret. You will use them in the next section.
-
Choose + Add Platform from the bottom of the page.
-
Choose Website.
-
Under Website, enter a sign-in URL for your app client endpoint into Site URL. Your sign-in URL should be in the following format:
https://
your_user_pool_domain
/login?response_type=code&client_id=your_app_client_id
&redirect_uri=your_callback_url
-
Choose Save changes.
-
For App Domains, enter your user pool domain.
https://
your_user_pool_domain
-
Choose Save changes.
-
From the navigation bar, choose Products, and then Set up from Facebook Login.
-
From the navigation bar, choose Facebook Login and then Settings.
Enter your redirect URL into Valid OAuth Redirect URIs. The redirect URL will consist of your user pool domain with the
/oauth2/idpresponse
endpoint.https://
your_user_pool_domain
/oauth2/idpresponse -
Choose Save changes.
-
Create a developer account with Amazon
. -
Sign in
with your Amazon credentials. -
You need to create an Amazon security profile to receive the Amazon client ID and client secret.
Choose Apps and Services from navigation bar at the top of the page and then choose Login with Amazon.
-
Choose Create a Security Profile.
-
Enter a Security Profile Name, a Security Profile Description, and a Consent Privacy Notice URL.
-
Choose Save.
-
Choose Client ID and Client Secret to show the client ID and secret. You will use them in the next section.
-
Hover over the gear icon and choose Web Settings, and then choose Edit.
-
Enter your user pool domain into Allowed Origins.
https://
<your-user-pool-domain>
-
Enter your user pool domain with the
/oauth2/idpresponse
endpoint into Allowed Return URLs.https://
<your-user-pool-domain>
/oauth2/idpresponse -
Choose Save.
-
Create a developer account with Google
. -
Sign in
with your Google credentials. -
Choose CONFIGURE A PROJECT.
-
Enter a project name, and then choose NEXT.
-
Enter your product name, and then choose NEXT.
-
Select Web browser from the Where are you calling from? drop-down list.
-
Enter your user pool domain into the Authorized JavaScript origins field.
https://
<your-user-pool-domain>
-
Choose CREATE. You will not use the Client ID and Client Secret from this step.
-
Choose DONE.
-
Sign in
to the Google Console. -
On the left navigation bar, choose Credentials.
-
Create your OAuth 2.0 credentials by choosing OAuth client ID from the Create credentials drop-down list.
-
Choose Web application.
-
Enter your user pool domain into the Authorized JavaScript origins field.
https://
<your-user-pool-domain>
-
Enter your user pool domain with the
/oauth2/idpresponse
endpoint into the Authorized Redirect URIs field.https://
<your-user-pool-domain>
/oauth2/idpresponse -
Choose Create twice.
-
Note the OAuth client ID and client secret. You will need them for the next section.
-
Choose OK.
-
Create a developer account with Apple
. -
Sign in
with your Apple credentials. -
On the left navigation bar, choose Certificates, IDs & Profiles.
-
On the left navigation bar, choose Identifiers.
-
On the Identifiers page, choose the + icon.
-
On the Register a New Identifier page, choose App IDs, and then choose Continue.
-
On the Register an App ID page, do the following:
-
Under Description, type a description.
-
Under App ID Prefix, type an identifier. Make a note of the value under App ID Prefix. You will use this value after you choose Apple as your identity provider in Step 2: Add a social IdP to your user pool.
-
Under Capabilities, choose Sign In with Apple, and then choose Edit.
-
On the Sign in with Apple: App ID Configuration page, select the appropriate setting for your app, and then choose Save.
-
Choose Continue.
-
-
On the Confirm your App ID page, choose Register.
-
On the Identifiers page, hover over App IDs on the right side of the page, choose Services IDs, and then choose the + icon.
-
On the Register a New Identifier page, choose Services IDs, and then choose Continue.
-
On the Register a Services ID page, do the following:
-
Under Description, type a description.
-
Under Identifier, type an identifier. Make a note of this Services ID as you will need this value after you choose Apple as your identity provider in Step 2: Add a social IdP to your user pool.
-
Select Sign In with Apple, and then choose Configure.
-
On the Web Authentication Configuration page, choose a Primary App ID. Under Web Domain, type your user pool domain. Under Return URLs, type your user pool domain and include the
/oauth2/idpresponse
endpoint. For example:https://
<your-user-pool-domain>
/oauth2/idpresponse -
Choose Add, and then Save. You do not need to verify the domain.
-
Choose Continue, and then choose Register.
-
-
On the left navigation bar, choose Keys.
-
On the Keys page, choose the + icon.
-
On the Register a New Key page, do the following:
-
Under Key Name, enter a key name.
-
Choose Sign In with Apple, and then choose Configure.
-
On the Configure Key page, choose a Primary App ID, and then choose Save.
-
Choose Continue, and then choose Register.
-
-
On the Download Your Key page, choose Download to download the private key and note the Key ID shown, and then choose Done. You will need this private key and the Key ID value shown on this page after you choose Apple as your identity provider in Step 2: Add a social IdP to your user pool.
Step 2: Add a social IdP to your user pool
In this section, you configure a social IdP in your user pool using the client ID and client secret from the previous section.
Step 3: Test your social IdP configuration
You can create a login URL by using the elements from the previous two sections. Use it to test your social IdP configuration.
https://
<your_user_pool_domain>
/login?response_type=code&client_id=<your_client_id>
&redirect_uri=https://www.example.com
You can find your domain on the user pool Domain name console page. The client_id is on the App client settings page. Use your callback URL for the redirect_uri parameter. This is the URL of the page where your user will be redirected after a successful authentication.
Amazon Cognito cancels authentication requests that do not complete within 5
minutes, and redirects the user to the hosted UI. The page displays a
Something went wrong
error message.
Next step
Step 4. Add sign-in with a SAML identity provider to a user pool (optional)