How do I set up LinkedIn as a social identity provider in an Amazon Cognito user pool?
I want my app's users to be able to sign in using LinkedIn. How do I set up LinkedIn as a social identity provider (IdP) in an Amazon Cognito user pool?
Short description
LinkedIn doesn't provide all the fields that Amazon Cognito requires when adding an OpenID Connect (OIDC) provider to a user pool.
You must use a third-party service as a middle agent between LinkedIn and Amazon Cognito, such as Auth0. Auth0 gets identities from LinkedIn, and Amazon Cognito then gets those identities from Auth0.
Note: Auth0 is a third-party service that's not affiliated with AWS. You might incur separate fees using Auth0.
You can also use this setup for other social IdPs with similar integration issues. For more information, see Identity providers on the Auth0 website.
Resolution
Create an Amazon Cognito user pool with an app client and domain name
For more information on creating these prerequisites, see the following articles:
- Tutorial: Creating a user pool
Important: When creating a user pool, keep the standard attribute email selected. - Configuring a user pool app client
- Adding a domain name for your user pool
Sign up for an Auth0 account
Enter your email address and a password on the Auth0 website sign-up page to get started. Or, if you already have an Auth0 account, log in. After logging in, take note of your Auth0 tenant name.
Create an Auth0 application
- On the Auth0 website dashboard, choose + Create Application.
Note: If you've already created the Auth0 application you want to use, continue to the next section. - In the Create Application dialog box, enter a name for your application. For example, My App.
- Under Choose an application type, choose Single Page Web Applications.
- Choose Create.
- On the Settings pane of your new application, do the following:
Find the Client ID and Client Secret and copy them. You'll need these later when connecting Auth0 to your Amazon Cognito user pool.
For Allowed Callback URLs, enter https://yourDomainPrefix.auth.region.amazoncognito.com/oauth2/idpresponse.
Note: Replace yourDomainPrefix and region with the values for your user pool. Find them in the Amazon Cognito console on the Domain name tab of the management page for your user pool. - Choose Save changes.
Sign up for a LinkedIn account
Enter your email address and a password on the LinkedIn website sign up page to get started. Or, sign in if you already have a LinkedIn account.
Create a LinkedIn app
- On the LinkedIn Developers website, choose Create app.
- On the Create an app page, complete all required and preferred fields to customize your LinkedIn app, and then choose Create app.
- Choose the Auth tab. Confirm that r_emailaddress and r_liteprofile are listed. These permissions are required for Auth0 to access the required LinkedIn user info.
Note: If you don't see the r_emailaddress and r_liteprofile listed, then add the product "Sign In with LinkedIn" to your application. This is found on the Products tab of your LinkedIn Dev page. - Under Application credentials, find the Client ID and Client Secret and copy them. You need both of these later when connecting LinkedIn to your Auth0 app.
- Under OAuth 2.0 settings, next to Redirect URLs:, choose the pencil icon, and then choose + Add redirect URL.
- Under Redirect URLs:, enter https://tenantName.us.auth0.com/login/callback, replacing tenantName with your Auth0 tenant name (or an Auth0 custom domain).
Connect to LinkedIn from Auth0
- On the Auth0 website dashboard, in the left navigation pane, choose Authentication, and then choose Social.
- Choose LinkedIn.
- On the Settings pane of the LinkedIn dialog box, do the following:
For API Key, enter the Client ID that you copied earlier from your LinkedIn app.
For Secret Key, enter the Client Secret that you copied earlier from your LinkedIn app.
For Attributes, select the Email address check box. - Choose Save.
- On the Applications pane of the LinkedIn dialog box, choose the applications that you want to enable LinkedIn as a social IdP for.
- Choose Save.
Test your LinkedIn social connection with Auth0
- In the LinkedIn dialog box, choose Try. Or, on the Auth0 website dashboard, in the left navigation pane, choose Connections, choose Social, and then next to LinkedIn, choose Try. A new browser tab or window opens to the LinkedIn sign-in page.
- Sign in to LinkedIn with your email address and password.
- When prompted to allow your app to access your LinkedIn user info, choose Allow.
Add an OIDC provider to your user pool
- In the Amazon Cognito console management page for your user pool, under Federation, choose Identity Providers.
- Choose OpenID Connect.
- Enter the details of your Auth0 app for the OIDC provider details, as follows:
For Provider name, enter a name (for example, Auth0-LinkedIn). This name appears in the Amazon Cognito hosted web UI.
Note: You can't change this field after creating the provider.
For Client ID, enter the Client ID that you copied earlier from your Auth0 application.
For Client secret (optional), enter the Client Secret that you copied earlier from your Auth0 application.
For Attributes request method, leave the setting as GET.
For Authorize scope, enter openid profile email.
For Issuer, enter the URL of your Auth0 profile. For example, https://tenantName.auth0.com, replacing tenantName with your Auth0 tenant name.
For Identifiers (optional), you can optionally enter a custom string to use later in the endpoint URL in place of your OIDC provider's name. - Choose Run discovery to fetch the OIDC configuration endpoints for Auth0.
- Choose Create provider.
For more information, see Add an OIDC IdP to your user pool.
Change app client settings for your user pool
- In the Amazon Cognito console management page for your user pool, under App integration, choose App client settings.
- On the app client page, do the following:
Under Enabled Identity Providers, select the OIDC provider (for example, Auth0-LinkedIn) and Cognito User Pool check boxes.
For Callback URL(s), enter a URL where you want your users to be redirected after logging in. For testing, you can enter any valid URL, such as https://example.com/.
For Sign out URL(s), enter a URL where you want your users to be redirected after logging out. For testing, you can enter any valid URL, such as https://example.com/.
Under Allowed OAuth Flows, select either the Authorization code grant or Implicit grant check box, or both.
Note: The allowed OAuth flows you enable determine which values ("code" or "token") you can use for the response_type parameter in your endpoint URL.
Under Allowed OAuth Scopes, select at least the email and openid check boxes. - Choose Save changes.
For more information, see App client settings terminology.
Map the attributes from Auth0 to your user pool
- In the Amazon Cognito console management page for your user pool, under Federation, choose Attribute mapping.
- On the attribute mapping page, choose the OIDC tab.
- If you have more than one OIDC provider in your user pool, choose your new provider from the dropdown list.
- Confirm that the OIDC attribute sub is mapped to the user pool attribute Username.
- Choose Add OIDC attribute. For the new OIDC attribute, enter email. For User pool attribute, choose Email.
- (Optional) Add any additional OIDC attributes you want to pass along from Auth0. For example, you might map given_name and family_name to the corresponding Amazon Cognito user pool attributes.
Note: To see all the OIDC attributes stored for an Auth0 user, from the Auth0 website dashboard, in the left navigation pane, choose Users & Roles, choose Users, choose a user, and then choose Raw JSON.
For more information, see Specifying identity provider attribute mappings for your user pool.
Construct the endpoint URL
Using values from your own setup, construct this endpoint URL:
https://yourDomainPrefix.auth.region.amazoncognito.com/oauth2/authorize?response_type=code&client_id=yourClientId&redirect_uri=redirectUrl
Do the following to customize the URL for your setup:
- Replace yourDomainPrefix and region with the values for your user pool. Find them in the Amazon Cognito console on the Domain name tab of the management page for your user pool.
- If you selected only the Implicit grant flow earlier for Allowed OAuth Flows, then change response_type=code to response_type=token.
- Replace yourClientId with your app client's ID, and replace redirectUrl with your app client's callback URL. Find them in the Amazon Cognito console on the App client settings tab of the management page for your user pool.
For more information, see How do I configure the hosted web UI for Amazon Cognito? and Authorize endpoint.
Test the endpoint URL
- Enter the constructed endpoint URL in your web browser.
- Under Sign in with your corporate ID, choose the name of your OIDC provider (for example, Auth0-LinkedIn). You're redirected to the log-in page for your Auth0 application.
- Choose Log in with LinkedIn. You're redirected to the LinkedIn sign-in page.
Note: If you're redirected to your Amazon Cognito app client's callback URL instead, then you're already signed in to LinkedIn. - On the LinkedIn sign-in page, enter the email address (or phone number) and password for your LinkedIn account.
- Choose Sign in.
After you log in successfully, you're redirected to your app client's callback URL. The authorization code or user pool tokens appear in the URL in your web browser's address bar.
(Optional) Skip the Amazon Cognito hosted UI
If you want your users to skip the Amazon Cognito hosted web UI when signing in to your app, use this as the endpoint URL instead:
https://yourDomainPrefix.auth.region.amazoncognito.com/oauth2/authorize?response_type=code&identity_provider=oidcProviderName&client_id=yourClientId&redirect_uri=redirectUrl&scope=allowedOauthScopes
Do the following to customize the URL for your setup:
- Replace yourDomainPrefix and region with the values for your user pool. Find them in the Amazon Cognito console on the Domain name tab of the management page for your user pool.
- If you selected only the Implicit grant flow earlier for Allowed OAuth Flows, change response_type=code to response_type=token.
- Replace oidcProviderName with the name of the OIDC provider in your user pool. For example, Auth0-LinkedIn.
- (Optional) If you added an identifier for your OIDC provider earlier in the Identifiers (optional) field, you can replace identity_provider=oidcProviderName with **idp_identifier=**idpIdentifier, replacing idpIdentifier with your custom identifier string.
- Replace yourClientId with your app client's ID, and replace redirectUrl with your app client's callback URL. Find them in the Amazon Cognito console on the App client settings tab of the management page for your user pool.
- Replace allowedOauthScopes with the specific scopes that you want your Amazon Cognito app client to request.
Related information
OIDC user pool IdP authentication flow
How do I set up Auth0 as a SAML identity provider with an Amazon Cognito user pool?

Contenido relevante
- OFICIAL DE AWSActualizada hace 5 meses
- OFICIAL DE AWSActualizada hace 4 meses
- OFICIAL DE AWSActualizada hace 4 meses
- OFICIAL DE AWSActualizada hace 4 meses