Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Help in verification of amazoncognito.com domain for Google OAuth verification

0

Hi, we are using AWS Cognito as identity provider, with social IdP options available. In order to verify the Google OAuth screen we are requested to verify the custom domain and amazoncognito.com. We have verified custom domain and have trouble going past amazoncognito.com. Can anyone suggest how we can get around this? Will dropping the domain from OAuth consent screen break any functionality? And we use hosted UI. Thanks in advance.

Themen
Sicherheit, Identität & Konformität
Tags
Amazon Cognito
Sprache
English
orumukham
gefragt vor 2 Jahren1020 Aufrufe
1 Antwort
1
Akzeptierte Antwort

Hello,

I understand that you are using signin with Google IdP for Cognito Userpool and Google is requesting you to verify your domain in order, and you currently want to verify the Cognito provided domains *.auth.<region>.amazoncognito.com.

Firstly, the apex domain and subdomains of *.auth.<region>.amazoncognito.com is owned by AWS, and are used as a generic default domain for customers Cognito userpool; unfortunately it is not possible to verify domain ownership for specific customer, as the domain is not really owned by specific customer in the public domain registrar.

Secondly, from checking Google documentation for domain verification (either host-specific or generic method), it requires adding a TXT record with value generate by Google to your domain DNS records. If this is not the method of Google domain verification for your application, please kindly share the specific documentation if possible.

This means instead of using Cognito provided domain *.auth.eu-central-1.amazoncognito.com, you can use your own custom domain name if you have control to your domain. The details steps for using you own custom domain in Cognito userpool can be found here [1].

For example, something like test-example-auth-dev.myowndomain.com in the Cognito userpool, so that your application will use your own domain name. However, I can see from your rePost message itself that you have already verified custom domain.

To summarize - When the custom domain is successfully activated in your Cognito userpool, both your custom domain and the previous Cognito managed amazoncognito.com domain can be used for user login. However, because amazoncognito.com cannot be used for Google domain verification, you will need to change in your Google app to use your customer domain instead of amazoncognito.com .

I hope the above shared information is insightful to your query. Please feel free to reach out if you have any questions!

References:

[1] https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-add-custom-domain.html

profile pictureAWS
SUPPORT-TECHNIKER
Yash_C
beantwortet vor 2 Jahren
  • orumukham
    vor 2 Jahren

    Thanks for the reply. Assuming your suggestion is to provide google with custom domain only, is exactly what we are trying now. However, the question was asked because according to AWS Docs, we are instructed to provide both both custom domain and cognito domain, hence not registering cognito domain with google might raise issues with functionality. However, though too early to decide, we have not had any issues by not providing cognito domain to google. Will get back here to share our experience if anything goes wrong.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt