How do I set up LinkedIn as a social identity provider in an Amazon Cognito user pool?

Last updated: 2019-06-27

I want my app's users to be able to sign in using LinkedIn. How do I set up LinkedIn as a social identity provider (IdP) in an Amazon Cognito user pool?

Short Description

LinkedIn doesn't provide all of the fields that Amazon Cognito requires when adding an OpenID Connect (OIDC) provider to a user pool.

You must use a third-party service as a middle agent between LinkedIn and Amazon Cognito, such as Auth0. Auth0 will get identities from LinkedIn, and Amazon Cognito will get those identities from Auth0.

Note: Auth0 is a third-party service that is not affiliated with AWS. You may incur separate fees using Auth0.

You can also use this setup for other social IdPs that might have similar integration issues. For more information, see Connections on the Auth0 website.

Resolution

Create an Amazon Cognito user pool with an app client and domain name

For more information on creating these prerequisites, see the following articles:

Sign up for an Auth0 account

Note: If you already have an Auth0 account, log in.

Enter your email address and a password on the Auth0 website sign up page to get started.

After logging in, make note of your Auth0 tenant name.

Create an Auth0 application

Note: If you've already created the Auth0 application you want to use, continue to the next section.

  1. On the Auth0 website dashboard, choose + Create Application.
  2. In the Create Application dialog, enter a name for your application. For example, My App.
  3. Under Choose an application type, choose Single Page Web Applications.
  4. Choose Create.
  5. On the Settings pane of your new application, do the following:
    Find the Client ID and Client Secret and copy them down. You'll need these later when connecting Auth0 to your Amazon Cognito user pool.
    For Allowed Callback URLs, enter https://yourDomainPrefix.auth.region.amazoncognito.com/oauth2/idpresponse.
    Note: Replace yourDomainPrefix and region with the values for your user pool. Find them in the Amazon Cognito console on the Domain name tab of the management page for your user pool.
  6. Choose Save changes.

Sign up for a LinkedIn account

Note: If you already have a LinkedIn account, sign in.

Enter your email address and a password on the LinkedIn website sign up page to get started.

Create a LinkedIn app

  1. On the LinkedIn Developers website, choose Create app.
  2. On the Create an app page, complete all required and preferred fields to customize your LinkedIn app, and then choose Create app.
  3. Choose the Auth pane.
    Note: Under Permissions, confirm that r_emailaddress and r_liteprofile are listed. These permissions are required for Auth0 to access the required LinkedIn user info.
  4. Under Application credentials, find the Client ID and Client Secret and copy them down. You'll need both of these later when connecting LinkedIn to your Auth0 app.
  5. Under OAuth 2.0 settings, next to Redirect URLs:, choose the pencil icon, and then choose + Add redirect URL.
  6. Under Redirect URLs:, enter https://tenantName.auth0.com/login/callback, replacing tenantName with your Auth0 tenant name (or an Auth0 custom domain).

For more information, see Add LinkedIn Login to Your App on the Auth0 website.

Connect to LinkedIn from Auth0

  1. On the Auth0 website dashboard, in the left navigation pane, choose Connections, and then choose Social.
  2. Choose LinkedIn.
  3. On the Settings pane of the LinkedIn dialog, do the following:
    For API Key, enter the Client ID you copied earlier from your LinkedIn app.
    For Secret Key, enter the Client Secret you copied earlier from your LinkedIn app.
    For Attributes, select the Email address check box.
  4. Choose Save.
  5. On the Applications pane of the LinkedIn dialog, choose the application(s) for which you want to enable LinkedIn as a social IdP.
  6. Choose Save.

For more information, see Add LinkedIn Login to Your App on the Auth0 website.

Test your LinkedIn social connection with Auth0

  1. In the LinkedIn dialog, choose Try. Or, on the Auth0 website dashboard, in the left navigation pane, choose Connections, choose Social, and then next to LinkedIn, choose Try. A new browser tab or window opens to the LinkedIn sign-in page.
  2. Sign in to LinkedIn with your email address and password.
  3. When prompted to allow your app to access your LinkedIn user info, choose Allow.

For more information, see Test Social Connections on the Auth0 website.

Add an OIDC provider to your user pool

  1. In the Amazon Cognito console management page for your user pool, under Federation, choose Identity Providers.
  2. Choose OpenID Connect.
  3. Enter the details of your Auth0 app for the OIDC provider details, as follows:
    For Provider name, enter a name (for example, Auth0-LinkedIn). This name appears in the Amazon Cognito hosted web UI.
    Note: You can't change this field after creating the provider. If you plan to include this field in your app or use the Amazon Cognito hosted web UI, use a name that you're comfortable with your app's users seeing.
    For Client ID, enter the Client ID you copied earlier from your Auth0 application.
    For Client secret (optional), enter the Client Secret you copied earlier from your Auth0 application.
    For Attributes request method, leave the setting as GET.
    For Authorize scope, enter openid profile email.
    For Issuer, enter the URL of your Auth0 profile. For example, https://tenantName.auth0.com, replacing tenantName with your Auth0 tenant name.
    For Identifiers (optional), you can optionally enter a custom string to use later in the endpoint URL in place of your OIDC provider's name.
  4. Choose Run discovery to fetch the OIDC configuration endpoints for Auth0.
  5. Choose Create provider.

For more information, see Add an OIDC IdP to Your User Pool.

Change app client settings for your user pool

  1. In the Amazon Cognito console management page for your user pool, under App integration, choose App client settings.
  2. On the app client page, do the following:
    Under Enabled Identity Providers, select the OIDC provider (for example, Auth0-LinkedIn) and Cognito User Pool check boxes.
    For Callback URL(s), enter a URL where you want your users to be redirected after logging in. For testing, you can enter any valid URL, such as https://example.com/.
    For Sign out URL(s), enter a URL where you want your users to be redirected after logging out. For testing, you can enter any valid URL, such as https://example.com/.
    Under Allowed OAuth Flows, select the Authorization code grant or Implicit grant check box, or both if you prefer.
    Note: The allowed OAuth flows you enable determine which values ("code" or "token") you can use for the response_type parameter in your endpoint URL.
    Under Allowed OAuth Scopes, select at least the email and openid check boxes.
  3. Choose Save changes.

For more information, see App Client Settings Overview.

Map the attributes from Auth0 to your user pool

  1. In the Amazon Cognito console management page for your user pool, under Federation, choose Attribute mapping.
  2. On the attribute mapping page, choose the OIDC tab.
  3. If you have more than one OIDC provider in your user pool, choose your new provider from the dropdown.
  4. Confirm that the OIDC attribute sub is mapped to the user pool attribute Username.
  5. Choose Add OIDC attribute. For the new OIDC attribute, enter email. For User pool attribute, choose Email.
  6. (Optional) Add any additional OIDC attributes you want to pass along from Auth0. For example, you might map given_name and family_name to the corresponding Amazon Cognito user pool attributes.
    Note: To see all the OIDC attributes stored for an Auth0 user, from the Auth0 website dashboard, in the left navigation pane, choose Users & Roles, choose Users, choose a user, and then choose Raw JSON.

For more information, see Specifying Identity Provider Attribute Mappings for Your User Pool.

Construct the endpoint URL

Using values from your own setup, construct this endpoint URL:

https://yourDomainPrefix.auth.region.amazoncognito.com/oauth2/authorize?response_type=code&client_id=yourClientId&redirect_uri=redirectUrl

Do the following to customize the URL for your setup:

  • Replace yourDomainPrefix and region with the values for your user pool. Find them in the Amazon Cognito console on the Domain name tab of the management page for your user pool.
  • If you selected only the Implicit grant flow earlier for Allowed OAuth Flows, change response_type=code to response_type=token.
  • Replace yourClientId with your app client's ID, and replace redirectUrl with your app client's callback URL. Find them in the Amazon Cognito console on the App client settings tab of the management page for your user pool.

For more information, see How do I configure the hosted web UI for Amazon Cognito? and AUTHORIZATION Endpoint.

Test the endpoint URL

  1. Enter the constructed endpoint URL in your web browser.
  2. Under Sign in with your corporate ID, choose the name of your OIDC provider (for example, Auth0-LinkedIn). You're redirected to the login page for your Auth0 application.
  3. Choose Log in with LinkedIn. You're redirected to the LinkedIn sign-in page.
    Note: If you're redirected to your Amazon Cognito app client's callback URL instead, that means you're already signed in to LinkedIn.
  4. On the LinkedIn sign-in page, enter the email address (or phone number) and password for your LinkedIn account.
  5. Choose Sign in.

After you log in successfully, you're redirected to your app client's callback URL. The authorization code or user pool tokens appear in the URL in your web browser's address bar.

(Optional) Skip the Amazon Cognito hosted UI

If you want your users to skip the Amazon Cognito hosted web UI when signing in to your app, use this as the endpoint URL instead:

https://yourDomainPrefix.auth.region.amazoncognito.com/oauth2/authorize?response_type=code&identity_provider=oidcProviderName&client_id=yourClientId&redirect_uri=redirectUrl&scope=allowedOauthScopes

Do the following to customize the URL for your setup:

  • Replace yourDomainPrefix and region with the values for your user pool. Find them in the Amazon Cognito console on the Domain name tab of the management page for your user pool.
  • If you selected only the Implicit grant flow earlier for Allowed OAuth Flows, change response_type=code to response_type=token.
  • Replace oidcProviderName with the name of the OIDC provider in your user pool. For example, Auth0-LinkedIn.
  • (Optional) If you added an identifier for your OIDC provider earlier in the Identifiers (optional) field, you can replace identity_provider=oidcProviderName with idp_identifier=idpIdentifier, replacing idpIdentifier with your custom identifier string.
  • Replace yourClientId with your app client's ID, and replace redirectUrl with your app client's callback URL. Find them in the Amazon Cognito console on the App client settings tab of the management page for your user pool.
  • Replace allowedOauthScopes with the specific scopes you want your Amazon Cognito app client to request.

For more information, see How do I configure the hosted web UI for Amazon Cognito? and AUTHORIZATION Endpoint.