How do I set up Google as a federated identity provider in an Amazon Cognito user pool?

Last updated: 2019-12-20

I want to use Google as a federated identity provider (IdP) in an Amazon Cognito user pool. How do I set that up?

Resolution

Amazon Cognito user pools allow sign-in through a third party (federation), including through a social IdP such as Google or Facebook. For more information, see Adding Social Identity Providers to a User Pool.

Create an Amazon Cognito user pool with an app client and domain name

  1. Create a user pool.
    Note: During creation, the standard attribute email is selected by default. For more information, see Configuring User Pool Attributes.
  2. Create an app client in your user pool. For more information, see Add an App to Enable the Hosted Web UI.
  3. Add a domain name for your user pool.

Create a Google API Console project

If don't have one already, create a new project.

  1. Sign in to the Google API Console with your Google account. For more information, see API Console Help on the Google Help website.
  2. On the Dashboard (APIs & Services), choose CREATE.
  3. Under New Project, enter a Project name.
  4. For Location, choose BROWSE, and then select a location.
  5. Choose CREATE.

For more information, see Integrating Google Sign-In into your web app on the Google Sign-In for Websites website.

Configure the OAuth consent screen

  1. In the Google API Console, in the left navigation pane, choose OAuth consent screen.
  2. Complete the consent screen form. At minimum, do the following:
    For Application name, enter a name.
    For Authorized domains, enter amazoncognito.com.
    Important: You must enter this domain, or you won't be able to use your Amazon Cognito domain later when creating an OAuth client ID.
  3. Choose Save. You're redirected to the Credentials page.

For more information, see Completing the OAuth consent screen on the Google Apps Script website.

Get OAuth 2.0 client credentials

  1. In the Google API Console, on the Credentials page, choose Create credentials, and then choose OAuth client ID.
  2. On the Create OAuth client ID page, for Application type, choose Web application.
  3. Do the following:
    Enter a Name for your OAuth client ID.
    For Authorized JavaScript origins, enter your Amazon Cognito domain (https://yourDomainPrefix.auth.region.amazoncognito.com).
    Note: Replace yourDomainPrefix and region with the values for your user pool. Find these values in the Amazon Cognito console on the Domain name page for your user pool.
    For Authorized redirect URIs, enter https://yourDomainPrefix.auth.region.amazoncognito.com/oauth2/idpresponse.
    Note: Replace yourDomainPrefix and region with the values for your user pool. See the previous step for more information.
  4. In the OAuth client dialog, find the client ID and client secret, and then note them for later. You'll need these when configuring Google in your Amazon Cognito user pool.

For more information, see Using OAuth 2.0 to Access Google APIs on the Google Identity Platform website.

Configure Google as a federated IdP in your user pool

  1. In the Amazon Cognito console, choose Manage user pools, and then choose your user pool.
  2. In the left navigation pane, under Federation, choose Identity providers.
  3. Choose Google.
  4. Do the following:
    For Google app ID, paste the client ID that you noted.
    For App secret, paste the client secret that noted.
    For Authorize scope, enter profile email openid.
  5. Choose Enable Google.

For more information, see Add a Social IdP to Your User Pool.

Map email from Google attribute to user pool attribute

Note: In the attribute mapping, the mapped user pool attributes must be mutable. For more information, see Specifying Identity Provider Attribute Mappings for Your User Pool.

  1. In the Amazon Cognito console, choose Manage user pools, and then choose your user pool.
  2. In the left navigation pane, under Federation, choose Attribute mapping.
  3. On the attribute mapping page, choose the Google tab.
  4. Next to the Google attribute named email, select the Capture check box.
  5. Next to email, for User pool attribute, choose Email from the list.
  6. Choose Save changes.

Change app client settings for your user pool

Note: In the app client settings, the mapped user pool attributes must be writable. For more information, see Specifying Identity Provider Attribute Mappings for Your User Pool.

  1. In the Amazon Cognito console, choose Manage user pools, and then choose your user pool.
  2. In the left navigation pane, under App integration, choose App client settings.
  3. On the app client page, do the following:
    Under Enabled Identity Providers, select the Google check box.
    For Callback URL(s), enter a URL where you want your users to be redirected after logging in. For testing, you can enter any valid URL, such as https://www.example.com/.
    For Sign out URL(s), enter a URL where you want your users to be redirected after logging out. For testing, you can enter any valid URL, such as https://www.example.com/.
    Under Allowed OAuth Flows, select at least the Implicit grant check box.
    Under Allowed OAuth Scopes, select at least the email, openid, and profile check boxes.
  4. Choose Save changes.

For more information, see App Client Settings Overview.

Construct the endpoint URL

Using values from your user pool, construct this login endpoint URL for the Amazon Cognito hosted web UI:

https://yourDomainPrefix.auth.region.amazoncognito.com/login?response_type=token&client_id=yourClientId&redirect_uri=redirectUrl

Be sure to do the following:

  • Replace yourDomainPrefix and region with the values for your user pool. Find these values in the Amazon Cognito console on the Domain name page for your user pool.
  • Replace yourClientId with your Amazon Cognito app client's ID, and replace redirectUrl with your app client's callback URL. Find these in the Amazon Cognito console on the App client settings page for your user pool.

For more information, see How do I configure the hosted web UI for Amazon Cognito? and LOGIN Endpoint.

Test the endpoint URL

  1. Enter the constructed login endpoint URL in your web browser.
  2. On your login endpoint webpage, choose Continue with Google.
    Note: If you're redirected to your Amazon Cognito app client's callback URL, you're already logged in to your Google account in your browser. The user pool tokens appear in the URL in your web browser's address bar.
  3. Under Sign in with Google, choose your Google account and sign in.

After successfully authenticating, you're redirected to your Amazon Cognito app client's callback URL. The user pool-issued JSON web tokens (JWT) appear in the URL in your web browser's address bar.

Note: In a real-world web app, the URL of the LOGIN endpoint is generated by a JavaScript SDK, which also takes care of parsing the JWT tokens in the URL.


Did this article help you?

Anything we could improve?


Need more help?