why is the Google OAuth Client Secret required for Cognito with Google as Identity Provider



why is the Client Secret required for Cognito, if I want to use Google as IdP with my hosted ui?

In the OpenId-workflow the Authorization grant code is passed to the redirect_uri by Google through Cognito. Then my server would need to exchange the Authorization grant code for a Access token & Identity Token at google by sending the client secret.

But Cognito should not need the client secret from google here, because it doesnt request a code exchange for me.

Thank you, if s.o. knows

asked 5 months ago212 views
1 Answer
Accepted Answer

When using federation it is often confusing which entity is playing which role at what point.

When you integrate Cognito with Google as an ODIC identity provider, Cognito is the corresponding relying party ("app") in the relationship with Google, not your "Server"(App). Cognito is using the client id/secret to do the code exchange. Cognito does that behind the scene and it is not visible to you. After that Cognito gives your application the tokens Cognito itself generates.

Please refer to the diagram and description here for how the signals flow: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-oidc-flow.html

Cognito acts as a relying party which provides token handling and management for authenticated users from all identity providers, so your backend systems can standardize on one set of user pool tokens.

answered 5 months ago
profile picture
reviewed 15 days ago
  • Thank you for claryfying & reply. So I need a Hosted UI just as a redirect endpoint used by Google for the OAuth workflow Will probably use Amplify in my react app together with Google Login & dont need a Hosted UI but the Google identity provider does need a Hosted UI probably.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions