I followed these steps to configure a FusionAuth OIDC identity provider to enable Amazon Cognito third-party login:
- Choose your desired region (top right)
- Review default settings if needed
- Click "Manage User Pools"
- Click "Create a user pool" or select the desired pool
- Navigate to "Users and groups"
- Click "Create User: if none exist (phone number format: +3035553322)
- Navigate to "App clients"
- Click "Add an app client"
- Add the app client name and click "Create app client"
- Click "Show details" for desired app client to show client id and client secret
- Navigate to "App client settings"
- Select user pools to enable
- Add callback URL(s)
- Under Allowed OAuth Flows enable "Authorization code grant"
- Under Allowed OAuth Scopes enable openid
- Navigate to "Domain name"
- Add custom domain if desired
- Navigate to "Settings"
- Navigate to "Identity Providers"
- From top right dro-down click "Add OpenId Connect"
- Add the Client Id from Cognito App client
- Use HTTP basic authentication
- Add the Client Secret from Cognito App client
- Visit https://cognito-idp.[region].amazonaws.com/[userPoolId]/.well-known/openid-configuration for endpoints [replace variables]
** If you have a domain set make sure this is reflected in the endpoints
- Add the Authorization endpoint
- Add the Token endpoint
- Add the Userinfo endpoint
- Add openid to Scope
- Set the Linking strategy to Link on email. Create the user if they do not exist
- A lambda is not required but may be used to map attributes from Cognito
- Enable this identity provider for the desired applications