Amazon Cognito
Developer Guide

OIDC User Pool IdP Authentication Flow

When your user signs in to your application using an OIDC IdP, this is the authentication flow.

  1. Your user lands on the Amazon Cognito built-in sign-in page, and is offered the option to sign in through an OIDC IdP such as Salesforce.

  2. Your user is redirected to the OIDC IdP's authorization endpoint.

  3. After your user is authenticated, the OIDC IdP redirects to Amazon Cognito with an authorization code.

  4. Amazon Cognito exchanges the authorization code with the OIDC IdP for an access token.

  5. Amazon Cognito creates or updates the user account in your user pool.

  6. Amazon Cognito issues your application bearer tokens, which might include identity, access, and refresh tokens.

                    User pool OIDC IdP authentication flow

OIDC is an identity layer on top of OAuth 2.0, which specifies JSON-formatted (JWT) identity tokens that are issued by IdPs to OIDC client apps (relying parties). See the documentation for your OIDC IdP for information about to add Amazon Cognito as an OIDC relying party.

When a user authenticates, the user pool returns ID, access, and refresh tokens. The ID token is a standard OIDC token for identity management, and the access token is a standard OAuth 2.0 token.