OAuth 2.0, OpenID Connect, and SAML 2.0 federation endpoints reference - Amazon Cognito

OAuth 2.0, OpenID Connect, and SAML 2.0 federation endpoints reference

Amazon Cognito activates the endpoints in this section when you add a domain to your user pool. The federation endpoints aren't user-interactive. They perform a service role for your app to communicate with third party OAuth 2.0, OIDC, and SAML 2.0 identity providers (IdPs).

The topics in this guide describe several frequently-used OAuth 2.0 and OIDC endpoints. Amazon Cognito creates the following endpoints when you assign a domain to your user pool.

User pool federation endpoints
Endpoint URL Description How it's accessed
https://Your user pool domain/oauth2/authorize Redirects a user to either the hosted UI or to sign in with their IdP. Invoked in customer browser to begin user authentication. See Authorize endpoint.
https://Your user pool domain/oauth2/token Returns tokens based on an authorization code or client credentials request. Requested by app to retrieve tokens. See Token endpoint.
https://Your user pool domain/oauth2/userInfo Returns user attributes based on OAuth 2.0 scopes and user identity in an access token. Requested by app to retrieve user profile. See UserInfo endpoint.
https://Your user pool domain/oauth2/revoke Revokes a refresh token and the associated access tokens. Requested by app to revoke a token. See Revoke endpoint.
https://cognito-idp.Region.amazonaws.com/your user pool ID/.well-known/openid-configuration A directory of the OIDC architecture of your user pool. Requested by app to locate user pool issuer metadata.
https://cognito-idp.Region.amazonaws.com/your user pool ID/.well-known/jwks.json Public keys that you can use to validate Amazon Cognito tokens. Requested by app to verify JWTs.
https://Your user pool domain/oauth2/idpresponse Social identity providers must redirect your users to this endpoint with an authorization code. Amazon Cognito redeems the code for a token when it authenticates your federated user. Redirected from OIDC IdP sign-in as the IdP client callback URL.
https://Your user pool domain/saml2/idpresponse The Assertion Consumer Response (ACS) URL for integration with SAML 2.0 identity providers. Redirected from SAML 2.0 IdP as the ACS URL, or the origination point for IdP-initiated sign-in1.
https://Your user pool domain/saml2/logout The Single Logout (SLO) URL for integration with SAML 2.0 identity providers. Redirected from SAML 2.0 IdP as the single logout (SLO) URL. Accepts POST binding only.

1 For more information about IdP-initiated SAML sign-in, see Using IdP-initiated SAML sign-in.

For more information on the OpenID Connect and OAuth standards, see OpenID Connect 1.0 and OAuth 2.0.