By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Help in verification of amazoncognito.com domain for Google OAuth verification

0

Hi, we are using AWS Cognito as identity provider, with social IdP options available. In order to verify the Google OAuth screen we are requested to verify the custom domain and amazoncognito.com. We have verified custom domain and have trouble going past amazoncognito.com. Can anyone suggest how we can get around this? Will dropping the domain from OAuth consent screen break any functionality? And we use hosted UI. Thanks in advance.

Topics
Security, Identity, & Compliance
Tags
Amazon Cognito
Language
English
orumukham
asked 2 years ago998 views
1 Answer
1
Accepted Answer

Hello,

I understand that you are using signin with Google IdP for Cognito Userpool and Google is requesting you to verify your domain in order, and you currently want to verify the Cognito provided domains *.auth.<region>.amazoncognito.com.

Firstly, the apex domain and subdomains of *.auth.<region>.amazoncognito.com is owned by AWS, and are used as a generic default domain for customers Cognito userpool; unfortunately it is not possible to verify domain ownership for specific customer, as the domain is not really owned by specific customer in the public domain registrar.

Secondly, from checking Google documentation for domain verification (either host-specific or generic method), it requires adding a TXT record with value generate by Google to your domain DNS records. If this is not the method of Google domain verification for your application, please kindly share the specific documentation if possible.

This means instead of using Cognito provided domain *.auth.eu-central-1.amazoncognito.com, you can use your own custom domain name if you have control to your domain. The details steps for using you own custom domain in Cognito userpool can be found here [1].

For example, something like test-example-auth-dev.myowndomain.com in the Cognito userpool, so that your application will use your own domain name. However, I can see from your rePost message itself that you have already verified custom domain.

To summarize - When the custom domain is successfully activated in your Cognito userpool, both your custom domain and the previous Cognito managed amazoncognito.com domain can be used for user login. However, because amazoncognito.com cannot be used for Google domain verification, you will need to change in your Google app to use your customer domain instead of amazoncognito.com .

I hope the above shared information is insightful to your query. Please feel free to reach out if you have any questions!

References:

[1] https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-add-custom-domain.html

profile pictureAWS
SUPPORT ENGINEER
Yash_C
answered 2 years ago
  • orumukham
    2 years ago

    Thanks for the reply. Assuming your suggestion is to provide google with custom domain only, is exactly what we are trying now. However, the question was asked because according to AWS Docs, we are instructed to provide both both custom domain and cognito domain, hence not registering cognito domain with google might raise issues with functionality. However, though too early to decide, we have not had any issues by not providing cognito domain to google. Will get back here to share our experience if anything goes wrong.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content