OAuth 2.0, OpenID Connect, and SAML 2.0 federation endpoints reference
Amazon Cognito activates the endpoints in this section when you add a domain to your user pool. The federation endpoints aren't user-interactive. They perform a service role for your app to communicate with third party OAuth 2.0, OIDC, and SAML 2.0 identity providers (IdPs).
The topics in this guide describe several frequently-used OAuth 2.0 and OIDC endpoints. Amazon Cognito creates the following endpoints when you assign a domain to your user pool.
User pool federation endpoints | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Endpoint URL | Description | How it's accessed | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
https://Your user pool
domain /oauth2/authorize |
Redirects a user to either the hosted UI or to sign in with their IdP. | Invoked in customer browser to begin user authentication. See Authorize endpoint. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
https://Your user pool
domain /oauth2/token |
Returns tokens based on an authorization code or client credentials request. | Requested by app to retrieve tokens. See Token endpoint. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
https://Your user pool
domain /oauth2/userInfo |
Returns user attributes based on OAuth 2.0 scopes and user identity in an access token. | Requested by app to retrieve user profile. See UserInfo endpoint. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
https://Your user pool
domain /oauth2/revoke |
Revokes a refresh token and the associated access tokens. | Requested by app to revoke a token. See Revoke endpoint. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
https://cognito-idp.Region .amazonaws.com/your
user pool ID /.well-known/openid-configuration |
A directory of the OIDC architecture of your user pool. | Requested by app to locate user pool issuer metadata. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
https://cognito-idp.Region .amazonaws.com/your
user pool ID /.well-known/jwks.json |
Public keys that you can use to validate Amazon Cognito tokens. | Requested by app to verify JWTs. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
https://Your user pool
domain /oauth2/idpresponse |
Social identity providers must redirect your users to this endpoint with an authorization code. Amazon Cognito redeems the code for a token when it authenticates your federated user. | Redirected from OIDC IdP sign-in as the IdP client callback URL. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
https://Your user pool
domain /saml2/idpresponse |
The Assertion Consumer Response (ACS) URL for integration with SAML 2.0 identity providers. | Redirected from SAML 2.0 IdP as the ACS URL, or the origination point for IdP-initiated sign-in1. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
https://Your user pool
domain /saml2/logout |
The Single Logout (SLO) URL for integration with SAML 2.0 identity providers. | Redirected from SAML 2.0 IdP as the single logout (SLO) URL. Accepts POST binding only. |
1 For more information about IdP-initiated SAML sign-in, see Using IdP-initiated SAML sign-in.
For more information on the OpenID Connect and OAuth standards, see OpenID Connect
1.0