How do I set up Auth0 as an OIDC provider in an Amazon Cognito user pool?

Short description

Cognito user pools allow you to sign in with third-party OpenID Connect (OIDC) identity providers such as Salesforce or Ping Identity. To set up Auth0 as an OIDC provider, make sure that you have the following:

• A Cognito user pool with an app client and domain name.
• An Auth0 account with an Auth0 application.

Resolution

Create an Auth0 account

If you have an Auth0 account, then sign in. To create an Auth0 account, see Get Started on the Auth0 website.

Create an Auth0 application

Complete the following steps:

1. Sign in to your developer account on the Auth0 website.
2. Choose the Dashboard.
3. In the navigation pane, from Applications, click Create application.
4. In the dialog box, enter the name for the application. For example, App1.
5. For Choose an application type, choose Single webpage applications, and then choose Create.
   Important: Note the Client ID, Client secret, and Domain values from the application settings tab configure your OIDC settings for the user pool in the next steps.
6. In the Allowed callback URLs section of the Settings tab, you must add the Cognito callback domain for the user pool. The domain format is similar to the following: https://<Cognito Domain>.auth.<region>.amazoncognito.com/oauth2/idpresponse.
7. Click Save changes.

Configure OIDC settings for the user pool

Complete the following steps:

1. Open the Cognito console.
2. Choose User pools, and then select your user pool.
3. Choose Social and external providers, and then choose Add identity provider.
4. Choose OpenID Connect (OIDC).
5. Enter the Provider name. Then, enter the Client ID and Client secret values from the Auth0 application.
6. For Authorization scopes, enter Phone, Email, Openid, and Profile.
7. Select the Attributes request method dropdown list, and then choose GET.
8. For Issuer, add the domain name from the Auth0 console. For example, https://example.auth0.com.
9. For Attribute mapping, create an attribute mapping for Email in the OIDC attribute section. The OIDC attribute email maps to the user pool attribute email.
10. Click Add identity provider.

Configure app client settings for the user pool

Complete the following steps:

1. Open the Cognito console.
2. Choose App clients, and then open your app client.
3. Select the Login pages tab.
4. In the Managed login pages configuration section, select Edit.
5. For Allow callback URLs, enter the URL of your integrated application.
6. For Allow sign out URL, enter the URL that users are redirected to after they sign out.
7. Click the drop down for Identity providers, and then select the Auth0 and Cognito User Pool check boxes.
8. For Allowed OAuth flows, you must select at least the Authorization code grant check box.
9. For Allowed OAuth scopes, you must select at least the Email and Openid check boxes.
10. Click Save changes.

Test the setup

Complete the following steps:

1. Open the Cognito console.
2. Choose Manage user pools.
3. Open your user pool, and then select App clients.
4. Select your app client, and then choose View login page.
5. On the Hosted UI page, choose Auth0. When you are redirected to the Auth0 login page, complete the login page. The page then redirects to the callback URL specified in the app client settings.
6. (Optional) Check the Auth0 user created in the users and groups settings in the user pool.

Related information

Configuring a user pool domain