Manage SSO using AWS Cognito

Manage SSO using AWS Cognito

June 17, 2021 / Eternal Team

Cognito comes with a built-in web UI. The Cognito Hosted UI is far more than a UI. It’s a full-blown OAuth server, backed by the Cognito API.

Amazon Cognito Hosted UI provides an OAuth 2.0 compliant authorization server. It provides a default implementation of end-user flows such as registration, authentication etc.

Your application will redirect to (Cognito )Hosted UI and it will handle the user flows, Like Login, Registration, Confirmation etc.

This is by far the easiest flow for implementing a signup/login process with Amazon Cognito. You configure a few settings/options and the forms are generated and hosted for you by AWS. Just attach custom domain to it and direct users to authenticate before directing them to your application.

Steps

  • Create a User Pool in AWS Cognito.
  • Configure Form Attributes.
  • Configure Password Policies.
  • MFA and verification (If Require).
  • Configure App Clients.
  • Configure Amazon Cognito Domain (there should be autogenerated default domain).
  • App Integration (App Client Settings).
  • Integrating Amazon Cognito UI screens into your App.

When a user clicks the sign in, simply direct them to the Cognito login screen by constructing a URL of the following format: https://your-domain-prefix.auth.us-east-1.amazoncognito.com/login?client_id=CLIENT_ID&response_type=TYPE&scope=SCOPE&redirect_uri=URI

For an example https://auth.eternal.com/login?client_id=4r97jsiucp6sk1nddo37huydf1&response_type=code&scope=aws.cognito.signin.user.admin+email+openid+phone+profile&redirect_uri=http://my-test-domain/secure

redirect_uri is set to test URL for testing but you should set yours to the part of your application that requires users to be logged in. Also, note that in this case a custom domain is being used instead of the domain prefix endpoint provided by Cognito

Refer link for a description of each query string parameter as well as examples of all valid parameter options.

Once the user is authenticated, Cognito will redirect the user to the app, passing along an authorization code. We can use this code to generate an access token. This token will allow us to make API calls to Cognito and verify that the user is allowed to access the app, as well as to pull user attributes.

This flow follows standard OAuth2 patterns. If you would like your app to allow users to remain signed in for a period of time, you may need to store the refresh token which you would use to periodically generate new access tokens. You will need new access tokens to make additional API calls to Cognito as access tokens expire within a set timeframe depending on your settings.

Please see the below flow diagram.

Manage SSO using AWS cognito
Manage SSO using AWS cognito

AWS-Consulting-Partner

Talk to AWS Certified Consultant

    Want to start a project?

    It’s simple.

    Contact us