Why does the Userpool-Client have to be set up as an OAuth-Client itself for Google Login?



this isnt a blocking problem. But out of curiosity I wanted to ask, if s.o. knows why the Userpool Client has to be set up as an OAuth-Client itself for Google-Login.

Afaik after signing up into Google using the Userpool-Client, the Userpool & Userpool-Client will create its own Cognito-user with the User Info from Google via OAuth protocol.

But why does a Userpool-Client has to specify any OAuth settings at all (such as Callback-Urls & Logout-Urls & Scopes) and by doing so becoming an OAuth-Client of the Userpool itself? Wouldnt it be easier, if one could omit all the OAuth-settings on the Userpool-Client-side because it hasnt anything to do imho with the OAuth process to Google. (For the OAuth process to Google just a Userpool-Domain should be sufficient imo. With this Userpool-Domain Google can redirect back to the Userpool-Domain to send the code. But OAuth-Settings in the Userpool-Client shouldnt be needed here at all)

질문됨 5달 전595회 조회
1개 답변

You are right that the OAuth settings for the UserPool-client does not have much to do with the OAuth process with Google.

As we discussed in your earlier question, Cognito interacts with Google as needed. Actually whether it is Google (or other social Id providers) or SAML or general OAuth/OIDC providers, Cognito handles that for you so your application has one interface (Cognito) to work with, independent from the different IdPs.

Towards your application, Cognito uses OAuth/OIDC flow to interact with your app when hosted UI is used to authenticate the user (again, independent from whether/which type external IdP . That's why you are defining the corresponding parameters like call back url under "Hosted UI" section of an "App Client" configuration.

답변함 5달 전
profile picture
검토됨 2달 전
  • Thanks for clarifying that those are 2 different things in Cognito:

    • OAuth to Userpool via Hosted UI
    • OAuth to external Identity Providers

    Even though a userpool domain should be good enough for Google-Login, it seems that a Hosted UI is required on top for Google-Login (for whatever reason). Getting this error in the Browser otherwise:

    OAuthNotConfigureException: oauth param not configured.

    (Im just guessing: Maybe Cognito needs the callback url of the Hosted UI. when it has finished fetching user data from Google. Otherwise Cognito maybe could not inform my web app that it has finished with the Google-Login?)

    import { signInWithRedirect } from "@aws-amplify/auth";
    const handleLoginWithGoogle = async () => {
        // https://docs.amplify.aws/javascript/build-a-backend/auth/add-social-provider/
        await signInWithRedirect({
          provider: "Google",
          options: {
            preferPrivateSession: true,
  • The callback url is needed because after Cognito successfully interact with the external IdP, it will deliver the authorization code or tokens (depending on grant type(s) configured and used) to your app by redirecting user to this url. That callback url is part of your app, though configured under "Hosted UI". You can skip the "UI" (login page) itself by telling Cognito to send user directly to IdP, but at the end Cognito needs to deliver the authorization code or tokens to your app.

    Check this video for a sequence diagram of the flow and explanation: (diagram in the video is more elaborated than the one in user doc https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-oidc-flow.html)

    https://www.youtube.com/watch?v=WgvVxKf2CFc (sequence flow explanation starts at 12:20. The flow is describing the authorization code grant flow).

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠