OAuth 2.0, OpenID Connect, and SAML 2.0 federation endpoints reference - Amazon Cognito

OAuth 2.0, OpenID Connect, and SAML 2.0 federation endpoints reference

Amazon Cognito activates the endpoints in this section when you add a domain to your user pool. The federation endpoints aren't user-interactive. They perform a service role for your app to communicate with third party OAuth 2.0, OIDC, and SAML 2.0 identity providers (IdPs).

The topics in this guide describe several frequently-used OAuth 2.0 and OIDC endpoints. Amazon Cognito creates the following endpoints when you assign a domain to your user pool.

User pool federation endpoints
Endpoint URL Description How it's accessed
https://Your user pool domain/oauth2/authorize Redirects a user to either the hosted UI or to sign in with their IdP. Direct link. See Authorize endpoint.
https://Your user pool domain/oauth2/token Returns tokens based on an authorization code or client credentials request. Direct link. See Token endpoint.
https://Your user pool domain/oauth2/userInfo Returns user attributes based on OAuth 2.0 scopes and user identity in an access token. Direct link. See UserInfo endpoint.
https://Your user pool domain/oauth2/revoke Revokes a refresh token and the associated access tokens. Direct link. See Revoke endpoint.
https://cognito-idp.Region.amazonaws.com/your user pool ID/.well-known/openid-configuration A directory of the OIDC architecture of your user pool. Direct link.
https://cognito-idp.Region.amazonaws.com/your user pool ID/.well-known/jwks.json Public keys that you can use to validate Amazon Cognito tokens. Direct link.
https://Your user pool domain/oauth2/idpresponse Social identity providers must redirect your users to this endpoint with an authorization code. Amazon Cognito redeems the code for a token when it authenticates your federated user. Redirected from OIDC IdP sign-in as the IdP client callback URL.
https://Your user pool domain/saml2/idpresponse To authenticate your SAML 2.0 federated user, your identity provider must redirect your users to this endpoint with a SAML response. Redirected from SAML 2.0 IdP as the single sign-on URL.

For more information on the OpenID Connect and OAuth standards, see OpenID Connect 1.0 and OAuth 2.0.