- Newest
- Most votes
- Most comments
You are right that the OAuth settings for the UserPool-client does not have much to do with the OAuth process with Google.
As we discussed in your earlier question, Cognito interacts with Google as needed. Actually whether it is Google (or other social Id providers) or SAML or general OAuth/OIDC providers, Cognito handles that for you so your application has one interface (Cognito) to work with, independent from the different IdPs.
Towards your application, Cognito uses OAuth/OIDC flow to interact with your app when hosted UI is used to authenticate the user (again, independent from whether/which type external IdP . That's why you are defining the corresponding parameters like call back url under "Hosted UI" section of an "App Client" configuration.
Relevant content
- Accepted Answerasked 5 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 3 months ago
Thanks for clarifying that those are 2 different things in Cognito:
Even though a userpool domain should be good enough for Google-Login, it seems that a Hosted UI is required on top for Google-Login (for whatever reason). Getting this error in the Browser otherwise:
OAuthNotConfigureException: oauth param not configured.
(Im just guessing: Maybe Cognito needs the callback url of the Hosted UI. when it has finished fetching user data from Google. Otherwise Cognito maybe could not inform my web app that it has finished with the Google-Login?)
The callback url is needed because after Cognito successfully interact with the external IdP, it will deliver the authorization code or tokens (depending on grant type(s) configured and used) to your app by redirecting user to this url. That callback url is part of your app, though configured under "Hosted UI". You can skip the "UI" (login page) itself by telling Cognito to send user directly to IdP, but at the end Cognito needs to deliver the authorization code or tokens to your app.
Check this video for a sequence diagram of the flow and explanation: (diagram in the video is more elaborated than the one in user doc https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-oidc-flow.html)
https://www.youtube.com/watch?v=WgvVxKf2CFc (sequence flow explanation starts at 12:20. The flow is describing the authorization code grant flow).