How do I set up Google as a federated identity provider in an Amazon Cognito user pool?

Resolution

Create an Amazon Cognito user pool

Create a new application in the Amazon Cognito console.

Create a Google API Console project

Sign in to the Google API Console with your Google account, and then create a Google Cloud project. For steps, see the Sign in with Google for web on the Google Identity website and Create a Google Cloud project on the Google Workspace website.

Configure the OAuth consent screen

Complete the following steps:

1. Open the Google API console.
2. In the navigation pane, choose OAuth consent screen.
3. Configure the following required fields on the consent form:
   For Application name, enter a name.
   For Authorized domains, enter amazoncognito.com.
   Important: You must enter this domain to use your Amazon Cognito domain when you create an OAuth client ID.
4. Choose Save.

Get OAuth 2.0 client credentials

Complete the following steps:

1. Open the Google API Console.
2. On the Credentials page, choose Create credentials.
3. Choose OAuth client ID.
4. On the Create OAuth client ID page, for Application type, choose Web application.
5. Configure the following settings:
   For Name, enter a name for your OAuth client ID.
   For Authorized JavaScript origins, enter your Amazon Cognito domain, such as https://yourDomainPrefix.auth.region.amazoncognito.com.
   Note: Replace yourDomainPrefix with your user pool's domain and region with your user pool's AWS Region. 
   To find your user pool's domain prefix and region, complete the following:
   Open the Amazon Cognito console.
   Select User Pools from the left navigation.
   Choose your user pool.
   In the left navigation menu, choose App integration.Scroll to the Domain section to find your domain prefix and region.
   For Authorized redirect URIs, enter https://yourDomainPrefix.auth.region.amazoncognito.com/oauth2/idpresponse.
   Note: Replace yourDomainPrefix and region with the values for your user pool.
6. In the OAuth client dialog box, note the client ID and client secret.

Configure Google as a federated IdP in your user pool

Use the Amazon Cognito console to configure your user pool with a social IdP and configure the following settings:

• For Add an identity provider, choose Google.
• Under Map attributes between Google and your user pool, map the User pool attribute of email to the Google attribute of email.

Change app client settings for your user pool

Note: In the app client settings, the mapped user pool attributes must be writable. For more information, see Mapping IdP attributes to profiles and tokens.

Complete the following steps:

1. Open the Amazon Cognito console.
2. Choose User pools, and then choose your user pool.
3. Choose the App integration tab.
4. Under App client list, choose Create app client.
5. Configure the following settings:
   For App type, choose Public client, and then enter a name for your app client.
   For Authentication Flows, select ALLOW_USER_PASSWORD_AUTH and ALLOW_REFRESH_TOKEN_AUTH.
   For Allowed Callback URL(s), enter the URL where you want to redirect your users after they log in. To test, enter a valid URL, such as https://www.example.com/.
   For Sign out URL(s), enter the URL where you want to redirect your users after they log out. To test, enter a valid URL, such as https://www.example.com/.
   For Identity providers, choose Cognito user pool and Google.
   For OAuth 2.0 grant type, choose Implicit grant.
   For OpenID Connect scopes, choose email, openid, and profile.
   Important: The implicit grant OAuth flow is only for testing purposes. It's a best practice to use the Authorization Code grant type for production systems.
6. Choose Create app client.

For more information about app client settings, see App client terms.

Construct the endpoint URL

To construct the login endpoint URL for the Amazon Cognito hosted web UI, use the following format:

https://yourDomainPrefix.auth.region.amazoncognito.com/login?response_type=token&client_id=yourClientId&redirect_uri=redirectUrl

Note: Replace yourDomainPrefix with your user pool's domain and region with your user pool's Region. Replace yourClientId with your Amazon Cognito app client's ID and redirectUrl with your app client's callback URL.

To find your user pool's domain prefix and region, complete the following steps:

1. Open the Amazon Cognito console.
2. Select User Pools from the left navigation.
3. Select your user pool.
4. In the left navigation menu, choose App integration.
5. Scroll to the Domain section to find your domain prefix and region.

To find your ClientID and redirectUrl, complete the following steps:

1. Open the Amazon Cognito console.
2. Choose User Pools from the left navigation.
3. Select your user pool.
4. In the left navigation menu, choose App integration.
5. Scroll to App clients to find your ClientId and redirectUrl.
   Note: Select the app client to view its details including the configured redirect URLs.

Test the endpoint URL

Complete the following steps:

1. Enter the login endpoint URL in your web browser.
2. On your login endpoint webpage, choose Continue with Google.
   Note: If the page redirects you to your Amazon Cognito app client's callback URL, then you're already logged in to your Google account in your browser. The user pool tokens appear in the URL in your web browser's address bar.
3. Under Sign in with Google, choose your Google account, and then sign in.

After you authenticate, you're redirected to your Amazon Cognito app client's callback URL. The user pool-issued JSON web tokens (JWT) appear in the URL in your web browser's address bar.

Related information

Using social identity providers with a user pool

User pool sign-in with third party identity providers

Manage APIs in the API console on the Google Help website