By using AWS re:Post, you agree to the Terms of Use

Cognito Hosted UI TOTP or Amplify


Need to create an OIDC provider with TOTP for a customer application.

I've set it up with AWS Cognito, set MFA to required, and checked TOTP.
I don't have access to the customer app so I've tried using the Cognito Hosted UI and callback URL with the code generated from Authorization code grant flow.
But as far as I've seen they don't support configuring TOTP in Hosted UI. You can only login if your already have setup TOTP and just need to enter your code.
Therefore, I've moved to AWS Amplify. Created a React app, I've setup everything and TOTP works like a charm.
Now I need to redirect the logged in user to the customer's app in the same way Cognito Hosted UI does. This isn't very secure because I didn't find a way to verify the callback URL the user enters. The callback URL needs to be provided by a query param to my custom app. We need to support different callback URLs.

How can this be accomplished in the most secure way or is there a different approach to this?

1 Answer


Thanks for your patience. I've reached out to our Amplify and Cognito engineers regarding your query. Our understanding is that you are looking to use Cognito in your customer's application and require the user to use TOTP enabled login in Cognito. Please let us know if we understood correctly. If our understanding is correct then it seems that the missing piece is:

  1. Check the user login status on the customer’s application (via Amplify Auth.currentAuthenticatedUser), then launch Hosted UI if user has not signed in (via Auth.federatedSignIn).
  2. Once the user is authenticated, and redirected back to the customer application, the application shall alway check user authentication status by Auth.currentAuthenticatedUser. If yes, let the end user access application, if not, go to step 1 again.

Please let us know if this helps resolve your issue. If not, kindly provide additional details in case we may have misunderstood anything.

answered 9 months ago
  • Thank you for taking the time to look into this. I think you are on the right track. The problem is that there are 2 different applications, my customer's application (to which I don't have access) and another independent app (which is the custom Hosted UI). How can I can send back the logged in user in the Hosted UI to the customer app? I wanted to send back a code like the build in Hosted UI does '/callback?code=02c18779-cf4d-445c-84ca-8859214f54c6'. Is that possible? Or to check the callback URL to match the one from App Client settings in AWS. Maybe I'm on the wrong track.

  • Hi,

    Thanks again for your patience as I worked with the Cognito team.

    The ‘callback url’ which can be configured in Hosted UI is for redirecting the logged in users to the url which can be your customer’s application. However, the initiated Login point which requires the pointed callback url, shall be started from Hosted UI URL with all the configured values. Such as https://hostedUIdomain/login?response_type=code&client_id=yourappclientid&redirect_uri=

    That said, it seems that this is a relatively complex case or perhaps there is something that is being misunderstood. Therefore, we recommend creating a support case and initiating a live session via call or chat so that we can take a closer look at your setup. I recommend starting with the Cognito team and they can transfer to the Amplify team if their assistance is needed.

  • Thank you Ryan for taking the time, i think our case is more complex than this. We'll need to initiate a live session with Cognito Team. Best regards.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions