Using Google as an Identity provider in AWS Cognito

ryandam
4 min readOct 18, 2020

This post shows the setup required to use Google as an Identity provider in AWS Cognito.

Of late, login screens such as the one below are quite common. In addition to allowing a user to signUp and sign in with a user name/password, other options are also provided. The options say Continue with Google, Continue with Apple, etc. if we click on Continue with Google, we will be presented with another screen where we need to enter Gmail ID/password. If the credentials are correct, we will sign in to the Original site we intended to login.

AWS Cognito supports this type of authentication called Federated Identity. Let’s say we are creating a web application that we will deploy on AWS. we would like to offer our users with multiple types of authentication using AWS Cognito. We will see the steps to implement this.

Create a User pool

Add an App Client

Note — Uncheck the Generate client secret option. It is recommended to be used with server-side code.

Configure a Domain

Configuration on Google side

Create a GCP project

Open https://cloud.google.com/ and go to go to the console. create a new project.

Configure an application in GCP

Follow these screenshots and create an application.

Create Credentials

Here, Authorized JavaScript origins is the URL that was configured in Cognito.

Tell Cognito about the Google App ID

Change App settings

With this step, we have added Google as an Identity Provider in AWS Cognito.

Testing the setup

  • Open a web browser
  • Create a URL of this format and paste it into a browser window.
https://{DOMAIN_NAME}.auth.{REGION}.amazoncognito.com/login?response_type=token&client_id={CLIENT_ID}&redirect_uri=http://localhost:5000/
  • DOMAIN_NAME — It is the domain name supplied to Cognito
  • REGION — Region where Cognito is setup
  • CLIENT_ID — App client ID configured in Cognito
  • http://localhost:5000 — For testing purposes, a Flask web application is run locally.
  • response_type=token — We are requesting Cognito to return User Pool tokens. Other options are code, which returns an auth grant.

After successful authentication and message exchange between AWS and Google, Cognito returns User Pool tokens.

What happens in Cognito User Pools

The screenshots below show that a user entry is added to Cognito User Pool.

Reference

Conclusion

This post talked about the configuration required in AWS Cognito in addition to the setup required in Google Cloud.

To better understand about federated authentication, refer to the following:

--

--