How do I set up Auth0 as an OIDC provider in an Amazon Cognito user pool?
Last updated: 2022-02-22
I want to set up Auth0 as an OIDC provider in an Amazon Cognito user pool.
Amazon Cognito user pools allow signing in with third-party OpenID Connect identity providers (OIDC) such as Salesforce or Ping Identity. To set up Auth0 as an OIDC provider, you need an Amazon Cognito user pool with an app client and domain name, and an Auth0 account with an Auth0 application.
Follow these steps to create or configure the:
- Auth0 account
- Auth0 application
- OIDC settings
- app client settings
Create Auth0 account
If you already have an Auth0 account, then sign in. To create an Auth0 account, follow the instructions in the Auth0 Get Started documentation.
Create Auth0 application
- From the Auth0 website, choose the Dashboard.
- In the navigation pane, expand Applications on the left pane, and then click Create Application.
- In the dialog box, enter name for the application. Fox example, App1.
- Under Choose an application type choose Single Webpage Applications.
- Choose Create.
Note the Client ID, Client Secret, and Domain from the application settings tab of the Auth0 application.
In the Allowed Callback URLs section, be sure to add the Amazon Cognito callback domain for the user pool. The domain format is similar to this:
Configure OIDC settings for user pool
- Open the Amazon Cognito console, and then choose Manage User Pools.
- Choose your user pool, and then in the navigation pane, choose Identity providers.
- Choose OpenID Connect.
- Enter the Client ID and Client secret from the Auth0 application.
- Select the Attributes request method dropdown list, and then choose GET.
- For Authorization scope, enter phone email openid profile.
- For Issuer, add the domain name from the Auth0 console. For example: https://example.auth0.com.
- Choose Create provider, and then choose Run discovery.
- Choose Create.
- In the navigation pane, choose Attribute mapping.
- Create an attribute mapping for email in the OIDC attribute section. The OIDC attribute email maps to the user pool attribute email.
Configure app client settings for user pool
- Open the Amazon Cognito console, and then choose App client settings.
- In Enabled identity providers, select the Auth0 and Cognito User Pool check boxes.
- For Callback URLs, enter a URL.
- For Sign out URL, enter a URL where the users are redirected to after signing out.
- For Allowed OAuth Flows, be sure to select at least the Implicit grant check box.
- For Allowed OAuth Scopes, be sure to select at least the email and openid check boxes.
- Choose Save changes.
Testing the setup
- Open the Amazon Cognito console, and choose Manage User Pools.
- In the navigation pane, choose App client settings.
- Select your app client, and then choose Launch Hosted UI.
- On the Hosted UI page, choose Auth0, and then log into the Auth0 login page.
- The page redirects to the callback URL specified in the app client settings.
- (Optional) You can check the Auth0 user created in the users and groups settings in the user pool.