Integrate with Amazon Cognito

Amazon Cognito is a backend as a service that lets you focus on writing a fantastic user experience for your application (native or web). You can read more and sign up for services at Amazon Cognito.

This document will explain how you can integrate your app with two solutions: Auth0 to get authentication with either Social providers (Facebook, Twitter, and so on), Enterprise providers or regular Username and Password, and Amazon Cognito, to get a backend for your app without writing a line of code. You can review available providers on our View Connections page.

Configure Amazon Web Services

Create a new OpenID Connect Provider

The first step is to create an OpenID Connect (OIDC) Provider pointing to your Auth0 account. Please take a note of your Auth0 domain (YOUR_DOMAIN) and your applicationId these values can be found in your Application Settings. These values will be used to create the Identity Pool in the IAM Console.

  1. In the IAM Console click on the Identity Providers link in the left sidebar. Click the Create Provider button.

  2. Choose the provider type, select OpenID Connect from the dropdown. For the Provider URL enter: https://YOUR_ACCOUNT_NAME.auth0.com and for Audience enter your ClientId (find your ClientID).

  3. The Verify Provider Information screen appears. Click Create.

  4. Click on your newly created provider to find the Provider ARN which will be used in a later step.

  5. Use the Thumbprint to verify the server certificate of your IdP. To learn how, see Obtaining the Thumbprint for an OpenID Connect Identity Provider.

It's not necessary to set up an IAM role after creating the identity provider. If you don't have one already, Cognito will create a default IAM role in the next step.

To obtain the Auth0 Dashboard's Thumbprint value:

  1. Retrieve your Auth0 Domain's certificate chain.

  2. Once you've obtained the certificate chain, isolate the last certificate in the chain. This should be the certificate of your root Certificate Authority (CA).

  3. Using this CA certificate, compute the fingerprint.

  4. Convert the fingerprint to a thumbprint by removing all of the : characters.

  5. Use the computed thumbprint when calling the aws iam create-open-id-connect-provider command.

Create a Cognito Identity Pool

Now, you need to create an Identity Pool in the Cognito Console. This will be used to log in to Amazon Cognito using the Auth0 Identity Provider that you created in the previous step.

  1. Sign in to the Cognito Console.

  2. Click Manage Federated Identities to start creating a new identity pool.

  3. For Identity Pool Name, specify a name for the pool e.g. Auth0. Under Authentication Providers, click the OpenID tab and select the name of the provider you created in the previous steps. Click Create Pool. A confirmation page appears that allows access to your resources. By default, Amazon Cognito creates a new role with limited permissions - end users only have access to Cognito Sync and Mobile Analytics. You can modify the roles if your application needs access to other AWS resources, such as S3 or DynamoDB.

  4. Click Allow to finish creating the new identity pool.

  5. Click Edit Identity Pool to view the Identity Pool ID.

  6. Finally, grab the ARN of the role that was automatically created in the previous step from the IAM console this value will be used when sending credentials to Cognito.

Configure Auth0

Amazon uses the public signing key from the OpenID Provider Metadata to validate the signature of the JSON Web Token (JWT). By default, Auth0 uses the HS256 signature algorithm which is not supported in this scenario (this will result in "Invalid login token" errors).

Go to Auth0 Dashboard > Applications > Applications, click the Show Advanced Settings link and then OAuth and change the algorithm to RS256.

Dashboard - Applications - Advanced - OAuth - JWT Algorithm - Integrations Amazon Cognito

Implementation

You can use Auth0 Lock to log the user in. You can read detailed instructions on how to implement Lock in the libraries documentation.

Once the user is successfully logged in with Auth0, the next step is to send their credentials to Amazon Cognito see the Cognito docs to see how to implement this depending on the platform.

Cognito takes the ID token that you obtain from the OIDC identity provider and uses it to manufacture unique Cognito IDs for each person who uses your app. When the user is logged in to Cognito through Auth0, you can store information in Cognito that only this user will be able to access.

For example (with Swift):

let cognitoSync = AWSCognito.defaultCognito()
let dataset = cognitoSync.openOrCreateDataset("MainDataset")
// Get an existing value
dataset.synchronize().continueWithBlock { (task) -> AnyObject! in
    dispatch_async(dispatch_get_main_queue(), { () -> Void in
        self.textValue.text = dataset.stringForKey("value")
    })
    return nil
}

// Set a new value
dataset.setString(self.textValue.text, forKey: "value")
dataset.synchronize()