How do I set up Google as a federated identity provider in an Amazon Cognito user pool?

6 minute read
1

I want to use Google as a federated identity provider (IdP) in an Amazon Cognito user pool.

Resolution

Amazon Cognito user pools allow sign-in through a third party (federation). This includes through a social IdP such as Google or Facebook. For more information, see Adding social identity providers to a user pool.

Create an Amazon Cognito user pool with an app client and domain name

  1. Create a user pool.
    Note: The standard attribute email is selected by default during creation. For more information, see User pool attributes.
  2. Create an app client in your user pool. For more information, see Add an app to turn on the hosted web UI.
  3. Add a domain name for your user pool.

Create a Google API Console project

If you already have a project, then create a new project:

  1. Sign in to the Google API Console with your Google account. For more information, see Manage APIs in the API console on the Google Help website.
  2. On the Dashboard (APIs & Services), choose CREATE.
  3. Under New Project, enter a Project name.
  4. For Location, choose BROWSE, and then select a location.
  5. Choose CREATE.

For more information, see the Sign In with Google for Web documentation on the Google Identity website.

Configure the OAuth consent screen

  1. In the Google API Console, in the left navigation pane, choose OAuth consent screen.
  2. Complete the consent screen form. At minimum, do the following:
    For Application name, enter a name.
    For Authorized domains, enter amazoncognito.com.
    Important: You must enter this domain or you can't use your Amazon Cognito domain later when creating an OAuth client ID.
  3. Choose Save. You're redirected to the Credentials page.

For more information, see Complete the OAuth consent screen on the Google Workspace website.

Get OAuth 2.0 client credentials

  1. In the Google API Console, on the Credentials page, choose Create credentials. Then, choose OAuth client ID.
  2. On the Create OAuth client ID page, for Application type, choose Web application.
  3. Do the following:
    Enter a Name for your OAuth client ID.
    For Authorized JavaScript origins, enter your Amazon Cognito domain. For example: https://yourDomainPrefix.auth.region.amazoncognito.com.
    Note: Replace yourDomainPrefix and region with the values for your user pool. Find these values in the Amazon Cognito console on the Domain name page for your user pool.
    For Authorized redirect URIs, enter https://yourDomainPrefix.auth.region.amazoncognito.com/oauth2/idpresponse.
    Note: Replace yourDomainPrefix and region with the values for your user pool. See the previous step for more information.
  4. In the OAuth client dialog box, find the client ID and client secret, and then note them for later. You need these when configuring Google in your Amazon Cognito user pool.

For more information, see Using OAuth 2.0 to access Google APIs on the Google Identity website.

Configure Google as a federated IdP in your user pool

  1. In the Amazon Cognito console, choose User pools.
  2. Select the user pool that you want to use.
  3. Choose the Sign-in experience tab.
  4. Under Federated identity provider sign-in, choose Add identity provider.
  5. Select Google. Then, under Set up Google federation with this user pool:
    For Client ID, paste the client ID that you noted in a previous step.
    For Client secret, paste the client secret that noted in a previous step.
    For Authorized scopes, enter the profile email OpenID.
  6. Under Map attributes between Google and your user pool:
    For the User pool attribute of email attribute, map to the Google attribute of email.
    Choose Add another attribute, and map the User pool attribute of username to the Google attribute of username.
  7. Choose Add identity provider.

Change app client settings for your user pool

Note: In the app client settings, the mapped user pool attributes must be writable. For more information, see Specifying identity provider attribute mappings for your user pool.

  1. In the Amazon Cognito console, choose your user pool.
  2. Choose the App integration tab.
  3. Under App client list, select Create app client.
  4. For App type, select Public client. Then, enter a name for your app client.
    For Authentication Flows, select ALLOW_USER_PASSWORD_AUTH and ALLOW_REFRESH_TOKEN_AUTH.
    For Allowed Callback URL(s), enter the URL where you want your users to be redirected after logging in. For testing, enter any valid URL, such as https://www.example.com/.
    For Sign out URL(s), enter the URL where you want your users to be redirected after logging out. For testing, enter any valid URL, such as https://www.example.com/.
    For Identity providers, select Cognito user pool and Google.
    For OAuth 2.0 grant type, select Implicit grant.
    For OpenID Connect scopes, select email, openid, and profile.
    Important:
    The implicit grant OAuth flow is only for testing purposes. It's a best practice to use authorization code grant for production systems.
  5. Choose Create app client.

For more information, see App client settings terminology.

Construct the endpoint URL

Using values from your user pool, construct this login endpoint URL for the Amazon Cognito hosted web UI: https://yourDomainPrefix.auth.region.amazoncognito.com/login?response_type=token&client_id=yourClientId&redirect_uri=redirectUrl

Note: Replace yourDomainPrefix and region with the values for your user pool. Find these values in the Amazon Cognito console on the Domain name page for your user pool. Replace yourClientId with your Amazon Cognito app client's ID, and replace redirectUrl with your app client's callback URL. Find these in the Amazon Cognito console on the App client settings page for your user pool.

For more information, see How do I configure the hosted web UI for Amazon Cognito? and Login endpoint.

Test the endpoint URL

  1. Enter the constructed login endpoint URL in your web browser.
  2. On your login endpoint webpage, choose Continue with Google.
    Note: If you're redirected to your Amazon Cognito app client's callback URL, you're already logged in to your Google account in your browser. The user pool tokens appear in the URL in your web browser's address bar.
  3. Under Sign in with Google, choose your Google account and sign in.

After successfully authentication, you're redirected to your Amazon Cognito app client's callback URL. The user pool-issued JSON web tokens (JWT) appear in the URL in your web browser's address bar.
Note: In a real-world web app, the URL of the login endpoint is generated by a JavaScript SDK. This also parses the JWT tokens in the URL.

Related information

Adding user pool sign-in through a third party

AWS OFFICIAL
AWS OFFICIALUpdated 9 months ago
2 Comments

Hi team, I have created user through API or manually . User should not create post SSo with Google. Is this possible?

replied 6 hours ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 4 hours ago