Menu
Amazon Cognito
Developer Guide

LOGIN Endpoint

The /login endpoint signs the user in. It loads the login page and presents the authentication options configured for the client to the user.

GET /login

The /login endpoint only supports HTTPS GET. The user pool client makes this request through the system browser, which would typically be Custom Chrome Tabs in Android and Safari View Controller in iOS.

Request Parameters

client_id

The app client ID for your app. To obtain an app client ID, register the app in the user pool. For more information, see Configuring a User Pool App Client.

Required

redirect_uri

The URI where the user is redirected after a successful authentication. It should be configured on response_type of the specified client_id.

Required

response_type

The OAuth response type, which can be code for code grant flow and token for implicit flow.

Required

state

An opaque value the client adds to the initial request. The value is then returned back to the client upon redirect.

This value must be used by the client to prevent CSRF attacks.

Optional but strongly recommended.

scope

Can be a combination of any system-reserved scopes or custom scopes associated with a client. Scopes must be separated by spaces. System reserved scopes are openid, email, phone, profile, and aws.cognito.signin.user.admin. Any scope used must be preassociated with the client or it is ignored at runtime.

If the client doesn't request any scopes, the authentication server uses all scopes associated with the client.

An ID token is only returned if an openid scope is requested. The access token can only be used against Amazon Cognito user pools if an aws.cognito.signin.user.admin scope is requested. The phone, email, and profile scopes can only be requested if an openid scope is also requested. These scopes dictate the claims that go inside the ID token.

Optional

Sample Request: Prompt the User to Sign in

This example displays the login screen.

GET https://mydomain.auth.us-east-1.amazoncognito.com/login? response_type=code& client_id=ad398u21ijw3s9w3939& redirect_uri=https://YOUR_APP/redirect_uri& state=STATE& scope=openid+profile+aws.cognito.signin.user.admin

On this page: