By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How do I set up Google as a federated identity provider in an Amazon Cognito user pool?

6 minute read
1

I want to use Google as a federated identity provider (IdP) in an Amazon Cognito user pool.

Resolution

Create an Amazon Cognito user pool with an app client and domain name

Complete the following steps:

  1. Create a new user pool.
    Note: When you create a user pool, the standard attribute email is selected by default.
  2. Create an app client in your user pool.
  3. Add a domain name for your user pool.

Create a Google API Console project

Complete the following steps:

  1. Sign in to the Google API Console with your Google account. For more information, see Manage APIs in the API console on the Google Help website.
  2. On the Dashboard (APIs & Services), choose CREATE.
  3. Under New Project, enter a Project name.
  4. For Location, choose BROWSE, and then select a location.
  5. Choose CREATE.

For more information, see the Sign in with Google for web on the Google Identity website.

Configure the OAuth consent screen

Complete the following steps:

  1. Open the Google API console, and then in the left navigation pane, choose OAuth consent screen.
  2. Complete the following required fields on the consent form:
    For Application name, enter a name.
    For Authorized domains, enter amazoncognito.com.
    Important: You must enter this domain so that you can use your Amazon Cognito domain when you create an OAuth client ID.
  3. Choose Save.

For more information, see Complete the OAuth consent screen on the Google Workspace website.

Get OAuth 2.0 client credentials

Complete the following steps:

  1. Open the Google API console, and then on the Credentials page, choose Create credentials.
  2. Choose OAuth client ID.
  3. On the Create OAuth client ID page, for Application type, choose Web application.
  4. Enter the following information:
    For Name, enter a name for your OAuth client ID.
    For Authorized JavaScript origins, enter your Amazon Cognito domain, for example: https://yourDomainPrefix.auth.region.amazoncognito.com.
    Note: Replace yourDomainPrefix and region with the values for your user pool. To find these values, open the Amazon Cognito console and navigate to the Domain name page for your user pool.
    For Authorized redirect URIs, enter https://yourDomainPrefix.auth.region.amazoncognito.com/oauth2/idpresponse.
    Note: Replace yourDomainPrefix and region with the values for your user pool.
  5. In the OAuth client dialog box, note the client ID and client secret to use in a later step.

For more information, see Using OAuth 2.0 to access Google APIs on the Google Identity website.

Configure Google as a federated IdP in your user pool

Complete the following steps:

  1. Open the Amazon Cognito console, and then choose User pools.
  2. Select your user pool.
  3. Choose the Sign-in experience tab.
  4. Under Federated identity provider sign-in, choose Add identity provider.
  5. Select Google.
  6. Under Set up Google federation with this user pool, enter the following information:
    For Client ID, enter the client ID that you noted.
    For Client secret, enter the client secret that noted.
    For Authorized scopes, enter the profile email OpenID.
  7. Under Map attributes between Google and your user pool, map the User pool attribute of email to the Google attribute of email.
  8. Choose Add another attribute, and then map the User pool attribute of username to the Google attribute of username.
  9. Choose Add identity provider.

Change app client settings for your user pool

Note: In the app client settings, the mapped user pool attributes must be writable. For more information, see Specifying identity provider attribute mappings for your user pool.

Complete the following steps:

  1. Open the Amazon Cognito console, and then select your user pool.
  2. Choose the App integration tab.
  3. Under App client list, choose Create app client.
  4. Enter the following information:
    For App type, choose Public client, and then enter a name for your app client.
    For Authentication Flows, select ALLOW_USER_PASSWORD_AUTH and ALLOW_REFRESH_TOKEN_AUTH.
    For Allowed Callback URL(s), enter the URL where you want your users to be redirected after they log in. To test, enter a valid URL, such as https://www.example.com/.
    For Sign out URL(s), enter the URL where you want your users to be redirected after they log out. To test, enter any valid URL, such as https://www.example.com/.
    For Identity providers, choose Cognito user pool and Google.
    For OAuth 2.0 grant type, choose Implicit grant.
    For OpenID Connect scopes, choose email, openid, and profile.
    Important: The implicit grant OAuth flow is only for testing purposes. It's a best practice to use the Authorization Code grant type for production systems.
  5. Choose Create app client.

For more information, see App client terms.

Construct the endpoint URL

To construct the login endpoint URL for the Amazon Cognito hosted web UI, use the values from your user pool.

Example URL: https://yourDomainPrefix.auth.region.amazoncognito.com/login?response_type=token&client_id=yourClientId&redirect_uri=redirectUrl

Note: Replace yourDomainPrefix and region with the values for your user pool. To fiind these values, open the Amazon Cognito console and navigate to the Domain name page for your user pool. Replace yourClientId with your Amazon Cognito app client's ID and redirectUrl with your app client's callback URL. Find these values on the App client settings page for your user pool.

For more information, see Login endpoint.

Test the endpoint URL

Complete the following steps:

  1. Enter the login endpoint URL in your web browser.
  2. On your login endpoint webpage, choose Continue with Google.
    Note: If you're redirected to your Amazon Cognito app client's callback URL, then you're already logged in to your Google account in your browser. The user pool tokens appear in the URL in your web browser's address bar.
  3. Under Sign in with Google, choose your Google account and sign in.

After you authenticate, you're redirected to your Amazon Cognito app client's callback URL. The user pool-issued JSON web tokens (JWT) appear in the URL in your web browser's address bar.

Note: A JavaScript SDK generates the URL of the login endpoint. The SDK also parses the JWT tokens in the URL.

Related information

Using social identity providers with a user pool

Adding user pool sign-in through a third party

Topics
Security, Identity, & Compliance
Tags
Amazon Cognito
Language
English

Related videos

Watch Shwetha’s video to learn more (7:06)
Watch Shwetha’s video to learn more (7:06)
AWS OFFICIAL
AWS OFFICIALUpdated a year ago
4 Comments

Hi team, I have created user through API or manually . User should not create post SSo with Google. Is this possible?

Cognito user pool and identity pool
replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
EXPERT
AWS Official
replied a year ago

When add Authorized scopes, use "openid" (all small case letters) rather than OpenID , OpenID will give you error from google: 400 Invalid_scope.

Ahmed Joum
replied 9 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
EXPERT
AWS Official
replied 9 months ago

Relevant content