Open ID Connect Providers (Identity Pools) - Amazon Cognito

Open ID Connect Providers (Identity Pools)

OpenID Connect is an open standard for authentication that is supported by a number of login providers. Amazon Cognito supports linking of identities with OpenID Connect providers that are configured through AWS Identity and Access Management.

Adding an OpenID Connect Provider

For information on how to create an OpenID Connect Provider, see the IAM documentation.

Associating a Provider with Amazon Cognito

Once you've created an OpenID Connect provider in the IAM Console, you can associate it with an identity pool. All configured providers will be visible in the Edit Identity Pool screen in the Amazon Cognito Console under the OpenID Connect Providers header.

        External Provider Enhanced Authflow

You can associate multiple OpenID Connect providers with a single identity pool.

Using OpenID Connect

Refer to your provider's documentation for how to login and receive an ID token.

Once you have a token, add the token to the logins map, using the URI of your provider as the key.

Validating an OpenID Connect Token

When first integrating with Amazon Cognito, you may receive an InvalidToken exception. It is important to understand how Amazon Cognito validates OpenID Connect tokens.


As specified here (, Amazon Cognito allows for a grace period of 5 minutes to handle any clock skew between systems.

  1. The iss parameter must match the key used in the logins map (such as

  2. The signature must be valid. The signature must be verifiable via an RSA public key.

  3. The fingerprint of the certificate hosting the public key matches what's configured on your OpenId Connect Provider.

  4. If the azp parameter is present, check this value against listed client IDs in your OpenId Connect provider.

  5. If the azp parameter is not present, check the aud parameter against listed client IDs in your OpenId Connect provider.

The website is a valuable resource for decoding tokens to verify these values.


Map<String, String> logins = new HashMap<String, String>(); logins.put("", token); credentialsProvider.setLogins(logins);

iOS - Objective-C

credentialsProvider.logins = @{ "": token }

iOS - Swift

To provide the OIDC ID token to Amazon Cognito, implement the AWSIdentityProviderManager protocol.

In the implementation of the logins method, return a dictionary containing the OIDC provider name that you configured. This dictionary acts as the key and the current ID token from the authenticated user as the value, as shown in the following code example.

class OIDCProvider: NSObject, AWSIdentityProviderManager { func logins() -> AWSTask<NSDictionary> { let completion = AWSTaskCompletionSource<NSString>() getToken(tokenCompletion: completion) return completion.task.continueOnSuccessWith { (task) -> AWSTask<NSDictionary>? in // is the name of the OIDC provider as setup in the Amazon Cognito console return AWSTask(result:["":task.result!]) } as! AWSTask<NSDictionary> } func getToken(tokenCompletion: AWSTaskCompletionSource<NSString>) -> Void { //get a valid oidc token from your server, or if you have one that hasn't expired cached, return it //TODO code to get token from your server //... //if error getting token, set error appropriately tokenCompletion.set(error:NSError(domain: "OIDC Login", code: -1 , userInfo: ["Unable to get OIDC token" : "Details about your error"])) //else tokenCompletion.set(result:"result from server id token") } }

When you instantiate the AWSCognitoCredentialsProvider, pass the class that implements AWSIdentityProviderManager as the value of identityProviderManager in the constructor. For more information, go to the AWSCognitoCredentialsProvider reference page and choose initWithRegionType:identityPoolId:identityProviderManager.


AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'IDENTITY_POOL_ID', Logins: { '': token } });


credentials.AddLogin("", token);


credentials.AddLogin("", token);