AWS Cognito Integration

This document provides a step-by-step guide to configure AWS Cognito as a Custom Identity Provider (IDP) using the OAuth workflow with your LoginRadius application.

Key Features

• OAuth 2.0 based secure login with AWS Cognito

• LoginRadius as the unified authentication interface

• Field-level user data mapping and transformation

• Works seamlessly with IDX and LoginRadius V2.js

Use-Cases

• Extend LoginRadius authentication to include AWS Cognito-managed users.

• Enable federated access for customers or partners already using Cognito.

• Centralize analytics and access control in LoginRadius while maintaining user pools in AWS.

Configuration

Set up AWS Cognito

As a part of configuration kindly follow the below steps to set up AWS Cognito:

1. Log into AWS Console → Go to Services > Cognito

2. Create a User Pool and define attributes like email, phone, etc.

3. Add an App Client (disable client secret for SPAs, enable for server apps)

4. Set up a domain name under the domain section.

5. In App client settings, enable OAuth 2.0 flows and add the LoginRadius callback URL:

https://<APP_NAME>.hub.loginradius.com:443/socialauth/validate.sauth

6. Create a test user under Users and Groups for verification.

7. Note down:

   • Domain name: e.g., https://testlr.auth.us-east-1.amazoncognito.com

   • App Client ID and Secret

Configure LoginRadius Console

Once you finish setting up the AWS Cognito, start configuring the setup in LoginRadius by following the below steps:

• Go to Authentication > Custom IDPs
• Click Add Custom IDP → Select Custom OAuth Provider and fill in the following:

Field	Value
Provider Name	e.g., awscognito
Customer Login Endpoint	https://<your_domain>/oauth2/authorize
Access Token Endpoint	https://<your_domain>/oauth2/token
Application Key	Cognito App Client ID
Application Secret	Cognito App Client Secret
Scope	openid email
Response Type	code
Customer Profile Endpoint	https://<your_domain>/oauth2/userInfo
Request Token HTTP Method	POST

• Header:

Key	Value
Authorization	Bearer #accesstoken#

• Data Mapping:

Field	Value
ID	sub
Email	email

• Click Save to complete the setup.

Integration Details

To verify the configuration:

1. Go to https://<APP_NAME>.hub.loginradius.com/

2. Click on the AWS Cognito login option.

3. You’ll be redirected to the Cognito login page.

4. Enter credentials for your test user.

5. Upon success, the user is redirected to LoginRadius IDX with a valid session.

Best Practices

• Always use secure HTTPS for all endpoint URLs

• Use dedicated user pools for each environment (dev, staging, prod)

• Keep your App Client secrets secure and rotate them periodically.

• Restrict scopes to only required fields (e.g., email openid)

• Test thoroughly using sandbox user pools before production rollout.

Related Resources

• Other Pre-Built IDPs
• LoginRadius Custom IDP Guide
• LoginRadius Hosted Pages