OAuth 2.0, OpenID Connect, and SAML 2.0 federation endpoints reference
Amazon Cognito activates the endpoints in this section when you add a domain to your user pool. The federation endpoints aren't user-interactive. They perform a service role for your app to communicate with third party OAuth 2.0, OIDC, and SAML 2.0 identity providers (IdPs).
The topics in this guide describe several frequently-used OAuth 2.0 and OIDC endpoints. Amazon Cognito creates the following endpoints when you assign a domain to your user pool.
User pool federation endpoints | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Endpoint URL | Description | How it's accessed | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
https://Your user pool
domain /oauth2/authorize |
Redirects a user to either the hosted UI or to sign in with their IdP. | Direct link. See Authorize endpoint. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
https://Your user pool
domain /oauth2/token |
Returns tokens based on an authorization code or client credentials request. | Direct link. See Token endpoint. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
https://Your user pool
domain /oauth2/userInfo |
Returns user attributes based on OAuth 2.0 scopes and user identity in an access token. | Direct link. See UserInfo endpoint. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
https://Your user pool
domain /oauth2/revoke |
Revokes a refresh token and the associated access tokens. | Direct link. See Revoke endpoint. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
https://cognito-idp.Region .amazonaws.com/your
user pool ID /.well-known/openid-configuration |
A directory of the OIDC architecture of your user pool. | Direct link. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
https://cognito-idp.Region .amazonaws.com/your
user pool ID /.well-known/jwks.json |
Public keys that you can use to validate Amazon Cognito tokens. | Direct link. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
https://Your user pool
domain /oauth2/idpresponse |
Social identity providers must redirect your users to this endpoint with an authorization code. Amazon Cognito redeems the code for a token when it authenticates your federated user. | Redirected from OIDC IdP sign-in as the IdP client callback URL. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
https://Your user pool
domain /saml2/idpresponse |
To authenticate your SAML 2.0 federated user, your identity provider must redirect your users to this endpoint with a SAML response. | Redirected from SAML 2.0 IdP as the single sign-on URL. |
For more information on the OpenID Connect and OAuth standards, see OpenID Connect
1.0