OIDC user pool IdP authentication flow

When your user signs in to your application using an OIDC IdP, they pass through the following authentication flow.

Your user lands on the Amazon Cognito built-in sign-in page, and is offered the option to sign in through an OIDC IdP such as Salesforce.
Your user is redirected to the authorization endpoint of the OIDC IdP.
After your user is authenticated, the OIDC IdP redirects to Amazon Cognito with an authorization code.
Amazon Cognito exchanges the authorization code with the OIDC IdP for an access token.
Amazon Cognito creates or updates the user account in your user pool.
Amazon Cognito issues your application bearer tokens, which might include identity, access, and refresh tokens.

Note

Amazon Cognito cancels authentication requests that do not complete within 5 minutes, and redirects the user to the hosted UI. The page displays a Something went wrong error message.

OIDC is an identity layer on top of OAuth 2.0, which specifies JSON-formatted (JWT) identity tokens that are issued by IdPs to OIDC client apps (relying parties). See the documentation for your OIDC IdP for information about to add Amazon Cognito as an OIDC relying party.

When a user authenticates, the user pool returns ID, access, and refresh tokens. The ID token is a standard OIDC token for identity management, and the access token is a standard OAuth 2.0 token.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Adding OIDC providers

Specifying attribute mappings