OAuth 2.0, OpenID Connect, and SAML 2.0 federation endpoints reference - Amazon Cognito
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

OAuth 2.0, OpenID Connect, and SAML 2.0 federation endpoints reference

Amazon Cognito activates the endpoints in this section when you add a domain to your user pool. The federation endpoints aren't user-interactive. They perform a service role for your app to communicate with third party OAuth 2.0, OIDC, and SAML 2.0 identity providers (IdPs).

The topics in this guide describe several frequently-used OAuth 2.0 and OIDC endpoints. Amazon Cognito creates the following endpoints when you assign a domain to your user pool.

User pool federation endpoints
Endpoint URL Description How it's accessed
https://Your user pool domain/oauth2/authorize Redirects a user to either the hosted UI or to sign in with their IdP. Invoked in customer browser to begin user authentication. See Authorize endpoint.
https://Your user pool domain/oauth2/token Returns tokens based on an authorization code or client credentials request. Requested by app to retrieve tokens. See Token endpoint.
https://Your user pool domain/oauth2/userInfo Returns user attributes based on OAuth 2.0 scopes and user identity in an access token. Requested by app to retrieve user profile. See UserInfo endpoint.
https://Your user pool domain/oauth2/revoke Revokes a refresh token and the associated access tokens. Requested by app to revoke a token. See Revoke endpoint.
https://cognito-idp.Region.amazonaws.com/your user pool ID/.well-known/openid-configuration A directory of the OIDC architecture of your user pool. Requested by app to locate user pool issuer metadata.
https://cognito-idp.Region.amazonaws.com/your user pool ID/.well-known/jwks.json Public keys that you can use to validate Amazon Cognito tokens. Requested by app to verify JWTs.
https://Your user pool domain/oauth2/idpresponse Social identity providers must redirect your users to this endpoint with an authorization code. Amazon Cognito redeems the code for a token when it authenticates your federated user. Redirected from OIDC IdP sign-in as the IdP client callback URL.
https://Your user pool domain/saml2/idpresponse The Assertion Consumer Response (ACS) URL for integration with SAML 2.0 identity providers. Redirected from SAML 2.0 IdP as the ACS URL, or the origination point for IdP-initiated sign-in1.
https://Your user pool domain/saml2/logout The Single Logout (SLO) URL for integration with SAML 2.0 identity providers. Redirected from SAML 2.0 IdP as the single logout (SLO) URL. Accepts POST binding only.

1 For more information about IdP-initiated SAML sign-in, see Using IdP-initiated SAML sign-in.

For more information on the OpenID Connect and OAuth standards, see OpenID Connect 1.0 and OAuth 2.0.

Topics