Why does the Userpool-Client have to be set up as an OAuth-Client itself for Google Login?



this isnt a blocking problem. But out of curiosity I wanted to ask, if s.o. knows why the Userpool Client has to be set up as an OAuth-Client itself for Google-Login.

Afaik after signing up into Google using the Userpool-Client, the Userpool & Userpool-Client will create its own Cognito-user with the User Info from Google via OAuth protocol.

But why does a Userpool-Client has to specify any OAuth settings at all (such as Callback-Urls & Logout-Urls & Scopes) and by doing so becoming an OAuth-Client of the Userpool itself? Wouldnt it be easier, if one could omit all the OAuth-settings on the Userpool-Client-side because it hasnt anything to do imho with the OAuth process to Google. (For the OAuth process to Google just a Userpool-Domain should be sufficient imo. With this Userpool-Domain Google can redirect back to the Userpool-Domain to send the code. But OAuth-Settings in the Userpool-Client shouldnt be needed here at all)

gefragt vor 5 Monaten582 Aufrufe
1 Antwort

You are right that the OAuth settings for the UserPool-client does not have much to do with the OAuth process with Google.

As we discussed in your earlier question, Cognito interacts with Google as needed. Actually whether it is Google (or other social Id providers) or SAML or general OAuth/OIDC providers, Cognito handles that for you so your application has one interface (Cognito) to work with, independent from the different IdPs.

Towards your application, Cognito uses OAuth/OIDC flow to interact with your app when hosted UI is used to authenticate the user (again, independent from whether/which type external IdP . That's why you are defining the corresponding parameters like call back url under "Hosted UI" section of an "App Client" configuration.

beantwortet vor 5 Monaten
profile picture
überprüft vor 2 Monaten
  • Thanks for clarifying that those are 2 different things in Cognito:

    • OAuth to Userpool via Hosted UI
    • OAuth to external Identity Providers

    Even though a userpool domain should be good enough for Google-Login, it seems that a Hosted UI is required on top for Google-Login (for whatever reason). Getting this error in the Browser otherwise:

    OAuthNotConfigureException: oauth param not configured.

    (Im just guessing: Maybe Cognito needs the callback url of the Hosted UI. when it has finished fetching user data from Google. Otherwise Cognito maybe could not inform my web app that it has finished with the Google-Login?)

    import { signInWithRedirect } from "@aws-amplify/auth";
    const handleLoginWithGoogle = async () => {
        // https://docs.amplify.aws/javascript/build-a-backend/auth/add-social-provider/
        await signInWithRedirect({
          provider: "Google",
          options: {
            preferPrivateSession: true,
  • The callback url is needed because after Cognito successfully interact with the external IdP, it will deliver the authorization code or tokens (depending on grant type(s) configured and used) to your app by redirecting user to this url. That callback url is part of your app, though configured under "Hosted UI". You can skip the "UI" (login page) itself by telling Cognito to send user directly to IdP, but at the end Cognito needs to deliver the authorization code or tokens to your app.

    Check this video for a sequence diagram of the flow and explanation: (diagram in the video is more elaborated than the one in user doc https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-oidc-flow.html)

    https://www.youtube.com/watch?v=WgvVxKf2CFc (sequence flow explanation starts at 12:20. The flow is describing the authorization code grant flow).

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen