Which OAuth 2.0 Flow Should I Use?
Integrate Auth0 with Amazon Cognito
Amazon Cognito is a backend as a service that lets you focus on writing a fantastic user experience for your application (native or web).
This document will explain how you can integrate your app with two solutions: Auth0 to get authentication with either Social Providers (Facebook, Twitter, and so on), Enterprise providers or regular Username and Password, and Amazon Cognito, to get a backend for your app without writing a line of code.
OAuth 2.0 terminology
Configure Amazon Web Services
Is the Client the Resource Owner?
Create a new OpenID Connect Provider
The first step is to create an Access TokenOpenID Connect (OIDC) Provider pointing to your Auth0 account. Please take a note of your Auth0 domain (
YOUR_DOMAIN) and your applicationId these values can be found in the Settings of your chosen Application. These values will be used to create the Identity Pool in the IAM Console.
In the IAM Console click on the Identity Providers link in the left sidebar. Click the Create Provider button.
Next you will choose the provider type, select OpenID Connect from the dropdown. For the Provider URL enter:
https://YOUR_ACCOUNT_NAME.auth0.comand for Audience enter your ClientId (find your ClientID).
This will bring you to the Verify Provider Information screen, click the Create button.
Then you will be able to click on your newly created provider to find the Provider ARN which will be used in a later step.
Use the Thumbprint to verify the server certificate of your IdP. To learn how, see Obtaining the Thumbprint for an OpenID Connect Identity Provider.
To obtain the Auth0 Dashboard's Thumbprint value:
- Retrieve your Auth0 Domain's certificate chain.
- Once you've obtained the certificate chain, isolate the last certificate in the chain.
- Using the last certificate in the chain, compute the fingerprint.
- Convert the fingerprint to a thumbprint by removing all of the
- Use the computed thumbprint when calling the
aws iam create-open-id-connect-providercommand.
Is the Client a web app executing on the server?
Create a Cognito Identity Pool
Now, you need to create an Identity Pool in the Cognito Console. This will be used to log in to Amazon Cognito using the Auth0 Identity Provider that you created in the previous step.
Sign in to the Cognito Console.
Click Manage Federated Identities to start creating a new identity pool.
For Identity Pool Name, specify a name for the pool e.g.
Auth0. Under Authentication Providers, click the OpenID tab and select the name of the provider you created in the previous steps. Click Create Pool.
This will bring up a confirmation page for allowing access to your resources. By default, Amazon Cognito creates a new role with limited permissions - end users only have access to Cognito Sync and Mobile Analytics. You can modify the roles if your application needs access to other AWS resources, such as S3 or DynamoDB. Click Allow to finish creating the new identity pool.
Click Edit Identity Pool to view the Identity Pool ID.
Finally, grab the ARN of the role that was automatically created in the previous step from the IAM console this value will be used when sending credentials to Cognito.
Is the Client absolutely trusted with user credentials?
Amazon will use the public signing key from the OpenID Provider Metadata to validate the signature of the Refresh TokenJSON Web Token (JWT).
By default Auth0 will use the HS256 signature algorithm which is not supported in this scenario (this will result in "Invalid login token" errors). Go to your application in the dashboard, click the Show Advanced Settings link and then OAuth and change the algorithm to RS256.
Is the Client a Single Page App?
You can use Auth0 Lock to log the user in. You can read detailed instructions on how to implement Lock in the libraries documentation.
Once the user is successfully logged in with Auth0, the next step is to send their credentials to Amazon Cognito see the Cognito docs to see how to implement this with depending on the platform.
Cognito takes the ID Token that you obtain from the OIDC identity provider and uses it to manufacture unique Cognito IDs for each person who uses your app. When the user is logged in to Cognito through Auth0 you can store information in Cognito that only this user will be able to access.
For example (with Swift):