Menu
Amazon Cognito
Developer Guide

Adding Social Identity Providers to a User Pool

Your web and mobile app users can sign in through social identity providers (IdP) like Facebook, Google, and Amazon. With the built-in hosted web UI, Amazon Cognito provides token handling and management for all authenticated users, so your backend systems can standardize on one set of user pool tokens.

You can add a social identity provider in the AWS Management Console, with the AWS CLI, or using Amazon Cognito API calls.


                Authentication overview with social sign-in

Note

Sign-in through a third party (federation) is available in Amazon Cognito user pools. This feature is independent of federation through Amazon Cognito identity pools (federated identities).

Prerequisites

Before you begin, you need:

  • A user pool with an application client and a user pool domain. For more information, see Create a user pool.

  • A social identity provider.

Step 1: Register with a Social IdP

Before you create a social IdP with Amazon Cognito, you must register your application with the social IdP to receive a client ID and client secret.

To register an app with Facebook
  1. Create a developer account with Facebook.

  2. Sign in with your Facebook credentials.

  3. From the My Apps menu, choose Create New App.

  4. Give your Facebook app a name and choose Create App ID.

  5. On the left navigation bar, choose Settings and then Basic.

  6. Note the App ID and the App Secret. You will use them in the next section.

  7. Choose + Add Platform from the bottom of the page.

  8. Choose Website.

  9. Under Website, type your user pool domain with the /oauth2/idpresponse endpoint into Site URL.

    https://<your-user-pool-domain>/oauth2/idpresponse
  10. Choose Save changes.

  11. Type your user pool domain into App Domains.

    https://<your-user-pool-domain>
  12. Choose Save changes.

  13. From the navigation bar choose Products and then Set up from Facebook Login.

  14. From the navigation bar choose Facebook Login and then Settings.

    Type your redirect URL into Valid OAuth Redirect URIs. It will consist of your user pool domain with the /oauth2/idpresponse endpoint.

    https://<your-user-pool-domain>/oauth2/idpresponse
  15. Choose Save changes.

To register an app with Amazon
  1. Create a developer account with Amazon.

  2. Sign in with your Amazon credentials.

  3. You need to create an Amazon security profile to receive the Amazon client ID and client secret.

    Choose Apps and Services from navigation bar at the top of the page and then choose Login with Amazon.

  4. Choose Create a Security Profile.

  5. Type in a Security Profile Name, a Security Profile Description, and a Consent Privacy Notice URL.

  6. Choose Save.

  7. Choose Client ID and Client Secret to show the client ID and secret. You will use them in the next section.

  8. Hover over the gear and choose Web Settings, and then choose Edit.

  9. Type your user pool domain into Allowed Origins.

    https://<your-user-pool-domain>
  10. Type your user pool domain with the /oauth2/idpresponse endpoint into Allowed Return URLs.

    https://<your-user-pool-domain>/oauth2/idpresponse
  11. Choose Save.

To register an app with Google
  1. Create a developer account with Google.

  2. Sign in with your Google credentials.

  3. Choose CONFIGURE A PROJECT.

  4. Type in a project name and choose NEXT.

  5. Type in your product name and choose NEXT.

  6. Choose Web browser from the Where are you calling from? drop-down list.

  7. Type your user pool domain into Authorized JavaScript origins.

    https://<your-user-pool-domain>
  8. Choose CREATE. You will not use the Client ID and Client Secret from this step.

  9. Choose DONE.

  10. Sign in to the Google Console.

  11. On the left navigation bar, choose Credentials.

  12. Create your OAuth 2.0 credentials by choosing OAuth client ID from the Create credentials drop-down list.

  13. Choose Web application.

  14. Type your user pool domain into Authorized JavaScript origins.

    https://<your-user-pool-domain>
  15. Type your user pool domain with the /oauth2/idpresponse endpoint into Authorized Redirect URIs.

    https://<your-user-pool-domain>/oauth2/idpresponse
  16. Choose Create twice.

  17. Note the OAuth client ID and client secret. You will need them for the next section.

  18. Choose OK.

Step 2: Add a Social IdP to Your User Pool

In this section, you configure a social IdP in your user pool using the client ID and client secret from the previous section.

To configure a user pool social identity provider with the AWS Management Console

  1. Go to the Amazon Cognito console. You might be prompted for your AWS credentials.

  2. Choose Manage your User Pools.

  3. Choose an existing user pool from the list, or create a user pool.

  4. On the left navigation bar, choose Identity providers.

  5. Choose a social identity provider: Facebook, Google, or Login with Amazon.

  6. Type the app client ID and app client secret that you received from the social identity provider in the previous section.

  7. Type the names of the scopes that you want to authorize. Scopes define which user attributes (such as name and email) you want to access with your app. For Facebook, these should be separated by commas. For Google and Login with Amazon, they should be separated by spaces.

    Social identity provider Example scopes
    Facebook public_profile, email
    Google profile email openid
    Login with Amazon profile postal_code

    Your app user is asked to consent to providing these attributes to your app. For more information about their scopes, see the documentation from Google, Facebook, and Login with Amazon.

  8. Choose Enable for the social identity provider that you're configuring.

  9. Choose App client settings from the navigation bar.

  10. Select your social identity provider as one of the Enabled Identity Providers for your user pool app.

  11. Type your callback URL into Callback URL(s) for your user pool app. This is the URL of the page where your user will be redirected after a successful authentication.

    https://www.example.com
  12. Choose Save changes.

  13. On the Attribute mapping tab, add mappings for at least the required attributes, typically email, as follows:

    1. Select the check box to choose the Facebook, Google, or Amazon attribute name. You can also type the names of additional attributes that aren't listed in the Amazon Cognito console.

    2. Choose the destination user pool attribute from the drop-down list.

    3. Choose Save changes.

    4. Choose Go to summary.

Step 3: Test Your Social IdP Configuration

You can create a login URL by using the elements from the previous two sections. Use it to test your social IdP configuration.

https://<your_user_pool_domain>/login?response_type=code&client_id=<your_client_id>&redirect_uri=https://www.example.com

You can find your domain on the user pool Domain name console page. The client_id is on the App client settings page. Use your callback URL for the redirect_uri parameter. This is the URL of the page where your user will be redirected after a successful authentication.