FusionAuth developer image
FusionAuth developer logo
  • Back to site
  • Expert Advice
  • Blog
  • Developers
  • Downloads
  • Account
  • Contact sales
Navigate to...
  • Welcome
  • Getting Started
    • Getting Started
    • 5-minute Setup Guide
      • Overview
      • Docker
      • Fast Path
      • Sandbox
    • Setup Wizard & First Login
    • Register a User and Login
    • Self-service Registration
    • Start and Stop FusionAuth
    • Core Concepts
      • Overview
      • Users
      • Roles
      • Groups
      • Registrations
      • Applications
      • Tenants
      • Identity Providers
      • Authentication/Authorization
      • Integration Points
    • Example Apps
      • Overview
      • Dart
      • Go
      • Java
      • JavaScript
      • .NET Core
      • PHP
      • Python
      • Ruby
    • Tutorials
  • Installation Guide
    • Overview
    • System Requirements
    • Server Layout
    • Cloud
    • Cluster
    • Docker
    • Fast Path
    • Kubernetes
      • Overview
      • Deployment Guide
      • Minikube Setup
      • Amazon EKS Setup
      • Google GKE Setup
      • Microsoft AKS Setup
    • Kickstart™
    • Homebrew
    • Marketplaces
    • Packages
    • Database
    • FusionAuth App
    • FusionAuth Search
    • Common Configuration
  • Migration Guide
    • Overview
    • General
    • Auth0
    • Keycloak
    • Amazon Cognito
    • Firebase
    • Microsoft Azure AD B2C
    • Tutorial
  • Admin Guide
    • Overview
    • Account Portal
    • Config Management
    • Editions and Features
    • Key Rotation
    • Licensing
    • Monitoring
    • Prometheus Setup
    • Proxy Setup
    • Reference
      • Overview
      • Configuration
      • CORS
      • Data Types
      • Hosted Login Pages Cookies
      • Known Limitations
      • Password Hashes
    • Releases
    • Roadmap
    • Search And FusionAuth
    • Securing
    • Switch Search Engines
    • Technical Support
    • Troubleshooting
    • Upgrading
    • WebAuthn
  • Login Methods
    • Identity Providers
      • Overview
      • Apple
      • Epic Games
      • External JWT
        • Overview
        • Example
      • Facebook
      • Google
      • HYPR
      • LinkedIn
      • Nintendo
      • OpenID Connect
        • Overview
        • Amazon Cognito
        • Azure AD
        • Discord
        • Github
      • Sony PlayStation Network
      • Steam
      • Twitch
      • Twitter
      • SAML v2
        • Overview
        • ADFS
        • Azure AD
      • SAML v2 IdP Initiated
        • Overview
        • Okta
      • Xbox
    • OIDC & OAuth 2.0
      • Overview
      • Endpoints
      • Tokens
      • OAuth Modes
    • Passwordless
      • Overview
      • Magic Links
      • WebAuthn & Passkeys
    • SAML v2 IdP
      • Overview
      • Google
      • Zendesk
  • Developer Guide
    • Overview
    • API Gateways
      • Overview
      • ngrok Cloud Edge
    • Client Libraries & SDKs
      • Overview
      • Dart
      • Go
      • Java
      • JavaScript
      • .NET Core
      • Node
      • OpenAPI
      • PHP
      • Python
      • React
      • Ruby
      • Typescript
    • Events & Webhooks
      • Overview
      • Writing a Webhook
      • Securing Webhooks
      • Events
        • Overview
        • Audit Log Create
        • Event Log Create
        • JWT Public Key Update
        • JWT Refresh
        • JWT Refresh Token Revoke
        • Kickstart Success
        • Group Create
        • Group Create Complete
        • Group Delete
        • Group Delete Complete
        • Group Update
        • Group Update Complete
        • Group Member Add
        • Group Member Add Complete
        • Group Member Remove
        • Group Member Remove Complete
        • Group Member Update
        • Group Member Update Complete
        • User Action
        • User Bulk Create
        • User Create
        • User Create Complete
        • User Deactivate
        • User Delete
        • User Delete Complete
        • User Email Update
        • User Email Verified
        • User IdP Link
        • User IdP Unlink
        • User Login Failed
        • User Login Id Dup. Create
        • User Login Id Dup. Update
        • User Login New Device
        • User Login Success
        • User Login Suspicious
        • User Password Breach
        • User Password Reset Send
        • User Password Reset Start
        • User Password Reset Success
        • User Password Update
        • User Reactivate
        • User Reg. Create
        • User Reg. Create Complete
        • User Reg. Delete
        • User Reg. Delete Complete
        • User Registration Update
        • User Reg. Update Complete
        • User Reg. Verified
        • User 2FA Method Add
        • User 2FA Method Remove
        • User Update
        • User Update Complete
    • Guides
      • Overview
      • Authentication Tokens
      • Exposing A Local Instance
      • JSON Web Tokens
      • Key Master
      • Localization and Internationalization
      • Multi-Factor Authentication
      • Multi-Tenant
      • Passwordless
      • Registration-based Email Verification
      • Searching With Elasticsearch
      • Securing Your APIs
      • Silent Mode
      • Single Sign-on
      • Two Factor (pre 1.26)
    • Integrations
      • Overview
      • CleanSpeak
      • Kafka
      • Twilio
    • Plugins
      • Overview
      • Writing a Plugin
      • Custom Password Hashing
    • User Control & Gating
      • Overview
      • Gate Unverified Users
      • Gate Unverified Registrations
      • User Account Lockout
  • Customization
    • Email & Templates
      • Overview
      • Configure Email
      • Email Templates
      • Email Variables
      • Message Templates
    • Lambdas
      • Overview
      • Apple Reconcile
      • Client Cred. JWT Populate
      • Epic Games Reconcile
      • External JWT Reconcile
      • Facebook Reconcile
      • Google Reconcile
      • HYPR Reconcile
      • JWT Populate
      • LDAP Connector Reconcile
      • LinkedIn Reconcile
      • Nintendo Reconcile
      • OpenID Connect Reconcile
      • SAML v2 Populate
      • SAML v2 Reconcile
      • SCIM Group Req. Converter
      • SCIM Group Resp. Convtr.
      • SCIM User Req. Converter
      • SCIM User Resp. Converter
      • Sony PSN Reconcile
      • Steam Reconcile
      • Twitch Reconcile
      • Twitter Reconcile
      • Xbox Reconcile
    • Messengers
      • Overview
      • Generic Messenger
      • Twilio Messenger
    • Themes
      • Overview
      • Examples
      • Helpers
      • Localization
      • Template Variables
  • Premium Features
    • Overview
    • Advanced Registration Forms
    • Advanced Threat Detection
    • Application Specific Themes
    • Breached Password Detection
    • Connectors
      • Overview
      • Generic Connector
      • LDAP Connector
      • FusionAuth Connector
    • Entity Management
    • SCIM
      • Overview
      • Azure AD Client
      • Okta Client
      • SCIM-SDK
    • Self Service Account Mgmt
      • Overview
      • Updating User Data & Password
      • Add Two-Factor Authenticator
      • Add Two-Factor Email
      • Add Two-Factor SMS
      • Add WebAuthn Passkey
      • Customizing
      • Troubleshooting
    • WebAuthn
  • APIs
    • Overview
    • Authentication
    • Errors
    • API Explorer
    • Actioning Users
    • API Keys
    • Applications
    • Audit Logs
    • Connectors
      • Overview
      • Generic
      • LDAP
    • Consents
    • Emails
    • Entity Management
      • Overview
      • Entities
      • Entity Types
      • Grants
    • Event Logs
    • Families
    • Forms
    • Form Fields
    • Groups
    • Identity Providers
      • Overview
      • Links
      • Apple
      • External JWT
      • Epic Games
      • Facebook
      • Google
      • HYPR
      • LinkedIn
      • Nintendo
      • OpenID Connect
      • SAML v2
      • SAML v2 IdP Initiated
      • Sony PlayStation Network
      • Steam
      • Twitch
      • Twitter
      • Xbox
    • Integrations
    • IP Access Control Lists
    • JWT
    • Keys
    • Lambdas
    • Login
    • Message Templates
    • Messengers
      • Overview
      • Generic
      • Twilio
    • Multi-Factor/Two Factor
    • Passwordless
    • Reactor
    • Registrations
    • Reports
    • SCIM
      • Overview
      • SCIM User
      • SCIM Group
      • SCIM EnterpriseUser
      • SCIM Service Provider Config.
    • System
    • Tenants
    • Themes
    • Users
    • User Actions
    • User Action Reasons
    • User Comments
    • WebAuthn
    • Webhooks
  • Release Notes

    Amazon Cognito OpenID Connect

    Configure OpenID Connect with Cognito

    Cognito users must have a public email address configured to link on email (see linking strategies for more on this). An approach that will work for all users is to link on username or create an anonymous link. Using these strategies ensures that the configured Cognito OIDC connection works for every user, no matter their Cognito privacy settings.

    Once you have completed this configuration, you can have an OpenID Connect Login with Cognito button for one or more FusionAuth Applications.

    Login with Cognito
    • Register a Cognito User Pool

      • Creating a User Pool App Client With a New Pool

    • Adding an App Client To an Existing Pool

    • Adding a Test User

    • Configure a New FusionAuth OpenID Connect Identity Provider

    • Testing the Login

    These instructions are for the new Cognito interface. Make sure you are using the "new console" user interface option. Learn more.

    Register a Cognito User Pool

    If you’re interested in connecting to Cognito, it is likely that you already have a user pool set up that you’d want to connect to. We’re adding the steps to create a new user pool in this guide in the interest of completeness, or in case you would like to set up a test user pool. You can refer to the getting started with Cognito user pools documentation for additional reference.

    You will first need to log in to AWS.

    Once logged in, search for "Cognito" in the main search field, and select the "Cognito" service.

    • Choose the region you’d like the user pool to reside in from the top right region indicator dropdown.

    • Click "Create a user pool".

    • Select the pool sign-in options for Step 1. In this example, we’ll use email.

    • Review the configurations for Step 2 up to Step 4 to make sure they conform to your needs.

    • Give the pool a name in Step 5.

    • Make sure the checkbox to use hosted authentication pages is checked.

    • Choose a domain for the user pool.

    Creating a User Pool App Client With a New Pool

    To enable FusionAuth to access the user pool, we need to set up an app client on Cognito. See Cognito: Configuring a user pool app client for additional reference.

    To create the client, in your new user pool, under Initial app client on Step 5, set the app type to confidential.

    • Give the client a name. We’ve used FusionClient.

    • Set the Callback URL to <YOUR_FUSIONAUTH_URL>/oauth2/callback under Allowed callback URLs; for example https://auth.piedpiper.com/oauth2/callback.

    • Under "Authentication flows" in the Advanced app client settings make sure the ALLOW_USER_PASSWORD_AUTH auth flow is selected.

    • Check the box for your app name under Identity Providers.

    • Select Authorization code grant under OAuth 2.0 grant types.

    • Under OpenID Connect scopes select OpenID.

    • Review the attribute read and write permissions and then click "Next" to review the user pool configuration details.

    • Scroll down and click "Create user pool".

    • Once the user pool is created, click on the user pool’s name and scroll to the "App clients and analytics" section.

    • Open the created app client and record both the Client ID and Client Secret, which can be revealed by toggling the "Show client secret" button.

    The user pool and app client are now created.

    Adding an App Client To an Existing Pool

    The existing pool must have a Hosted UI domain available and the hosted authentication pages enabled.

    Navigate to the App integration tab and go to the App client list section. Select Create app client.

    • Select the Confidential Client type.

    • Give the client a name. We’ve used FusionClient.

    • Under "Authentication flows" in the Advanced app client settings make sure the ALLOW_USER_PASSWORD_AUTH auth flow is selected.

    • In the Hosted UI settings section, set the Callback URL to <YOUR_FUSIONAUTH_URL>/oauth2/callback under Allowed callback URLs; for example https://auth.piedpiper.com/oauth2/callback.

    • Select Authorization code grant under OAuth 2.0 grant types.

    • Under OpenID Connect scopes select OpenID. You may select others.

    • Review the attribute read and write permissions and then click "Create app client".

    Next, you can open the created app client and record both the Client ID and Client Secret, which can be revealed by toggling the "Show client secret" button.

    Adding a Test User

    The next step in either case is adding a test user.

    • Open the user pool and under the Users tab, click "Create user".

    • Create a user, filling out all the form fields. Make sure to record the email address and the password.

    • Click the "Create user" button.

    Configure a New FusionAuth OpenID Connect Identity Provider

    There is no pre-configured Identity Provider for Cognito in FusionAuth. The generic "OpenID" Identity Provider can be used though, as Cognito supports the standard OpenId Connect protocols.

    Navigate to your FusionAuth instance. Select Settings from the sidebar and then Identity Providers.

    Select "Add OpenID Connect" from the "Add" dropdown at the top right of the page.

    Create a new OpenID integration
    • Provide a Name, like Cognito.

    • Set Client Id to the App Client Id recorded when creating the app client on Cognito.

    • Select HTTP Basic Authentication for the Client Authentication field.

    • Set the Client secret to the app client secret recorded when creating the app client on Cognito.

    • Enable Discover endpoints

    • Use the following as the Issuer URL:

    The Issuer URL
    
    https://cognito-idp.<REGION>.amazonaws.com/<USER_POOL_ID>/

    Replace <REGION> with the AWS region code, such as us-east-2, in which you created your Cognito user pool. This can be found by selecting the region indicator at the top right of the menu bar and recording the region code displayed alongside the region location.

    Replace <USER_POOL_ID with the Cognito user pool Id. You can find this by clicking on your user pool. This will be something like us-east-2_cbVy.

    User Pool Id in Cognito

    Set Button Text to Login with Cognito. You can also add a URL to a Cognito icon for the button icon if you wish.

    Cognito users must have a public email address configured to link on email (see linking strategies for more on this). An approach that will work for all users is to link on username or create an anonymous link. Using these strategies ensures that the configured Cognito OIDC connection works for every user, no matter their Cognito privacy settings.

    Set the Scope field to openid. Choose a Linking Strategy of Link on email. Create the user if they do not exist. This will create the user if they don’t exist. You may also choose a different linking strategy; see Linking Strategies for more options.

    Choose No Lambda for the Reconcile Lambda field. If you want to examine or modify the response of the Cognito authentication event and modify the user based on that, you can create a lambda and assign it here.

    Then, choose the applications for which you would like the Cognito sign-in to be available and enable them. You can also create a FusionAuth registration for each application on successful authentication.

    Once you are done, you should have a configuration similar to this:

    penID integration settings

    Testing the Login

    To test, navigate to the applications page in FusionAuth. Click on the View icon (magnifying glass) next to the application you enabled Cognito login on and copy the OAuth IdP login URL address. Navigate to this address. You should see a Login with Cognito option on your app’s sign-in page:

    Cognito log in on FusionAuth

    Click the Login with Cognito button. Test logging in with the username and password for the test user added when creating the user pool on Cognito.

    If it is all set up correctly, you should be redirected back to your app, successfully logged in. The user will be added to FusionAuth, and you can examine the Linked accounts section of the user details screen to see that the Cognito OIDC link was created.

    Feedback

    How helpful was this page?

    See a problem?

    File an issue in our docs repo

    Have a question or comment to share?

    Visit the FusionAuth community forum.

    © 2023 FusionAuth
    Subscribe for developer updates