Identity provider and relying party endpoints
Federation endpoints are user pool endpoints serve a purpose for one of the authentication standards used by user pools. They include SAML ACS URLs, OIDC discovery endpoints, and service endpoints for user pool roles both as identity provider and relying party. Federation endpoints initiate authentication flows, receive proof of authentication from IdPs, and issue tokens to clients. They interact with IdPs, applications, and administrators, but not with users.
The full-page topics after this page have details about the OAuth 2.0 and OIDC provider endpoints that become available when you add a domain to your user pool. The following chart is a list of all federation endpoints.
User pool federation endpoints | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Endpoint URL | Description | How it's accessed | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
https://Your user pool
domain /oauth2/authorize |
Redirects a user to either the hosted UI or to sign in with their IdP. | Invoked in customer browser to begin user authentication. See Authorize endpoint. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
https://Your user pool
domain /oauth2/token |
Returns tokens based on an authorization code or client credentials request. | Requested by app to retrieve tokens. See Token endpoint. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
https://Your user pool
domain /oauth2/userInfo |
Returns user attributes based on OAuth 2.0 scopes and user identity in an access token. | Requested by app to retrieve user profile. See userInfo endpoint. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
https://Your user pool
domain /oauth2/revoke |
Revokes a refresh token and the associated access tokens. | Requested by app to revoke a token. See Revoke endpoint. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
https://cognito-idp.Region .amazonaws.com/your
user pool ID /.well-known/openid-configuration |
A directory of the OIDC architecture of your user pool. | Requested by app to locate user pool issuer metadata. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
https://cognito-idp.Region .amazonaws.com/your
user pool ID /.well-known/jwks.json |
Public keys that you can use to validate Amazon Cognito tokens. | Requested by app to verify JWTs. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
https://Your user pool
domain /oauth2/idpresponse |
Social identity providers must redirect your users to this endpoint with an authorization code. Amazon Cognito redeems the code for a token when it authenticates your federated user. | Redirected from OIDC IdP sign-in as the IdP client callback URL. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
https://Your user pool
domain /saml2/idpresponse |
The Assertion Consumer Response (ACS) URL for integration with SAML 2.0 identity providers. | Redirected from SAML 2.0 IdP as the ACS URL, or the origination point for IdP-initiated sign-in1. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
https://Your user pool
domain /saml2/logout |
The Single Logout (SLO) URL for integration with SAML 2.0 identity providers. | Redirected from SAML 2.0 IdP as the single logout (SLO) URL. Accepts POST binding only. |
1 For more information about IdP-initiated SAML sign-in, see Using IdP-initiated SAML sign-in.
For more information on the OpenID Connect and OAuth standards, see OpenID Connect
1.0