cognito.md

Amazon Cognito IdP Setup

Amazon Cognito can be used as an IdP (Identity Provider) to secure the Amazon CloudFront Distribution created by this repository.

Configure Amazon Cognito

In order to get started, login to the AWS Console with an identity that has the ability to manage Amazon Cognito User Pools and App integrations.

1. Search for Cognito in the search bar and click on the Cognito service.
2. Click on Manage User Pools next:
3. Select an existing User Pool or Create a user pool by clicking on the Create a user pool button in the top-left corner of the page.
4. After selecting an existing Cognito User Pool or creating a new User Pool, navigate to App integration > App client settings on the left of the page:
5. On the App client settings page select the following: 5a. Enabled Identity Providers = check the Cognito User Pool
   5b. Sign in and sign out URLs = for Callback URL(s) provide the Amazon CloudFront distribution HTTPS endpoint with _callback appended to the end. Provide the appropriate Sign out URL(s) value that is suitable.
   5c. OAuth 2.0 = At the minimum for Allowed OAuth Flows check Authorization code grant. For Allowed OAuth Scopes check email and openid at the minimum.
6. After providing the necessary arguments click on Save changes.
7. On the next page, provide an appropriate Amaon Cognito domain endpoint:
8. Navigate back to the General settings and click on App Clients.
9. Create a new App client and provide it a name that is suitable for your Amazon CloudFront use-case. Select the appropriate Auth Flows Configuration and then click save.
10. Expand the newly-create App Client and copy the App client id and the App client secret into a secure location that can be later referenced.
11. Update the AWS Secrets Manager JSON configuration with these values and Base64 Encode the document.
12. Congratulations! You are ready to go!