Setting up an OIDC provider as an identity pool IdP
OpenID Connect
Adding an OpenID Connect provider
For information about how to create an OpenID Connect provider, see Creating OpenID Connect (OIDC) identity providers in the Amazon Identity and Access Management User Guide.
Associating a provider with Amazon Cognito
To add an OIDC identity provider (IdP)
-
Choose Identity pools from the Amazon Cognito console
. Select an identity pool. -
Choose the User access tab.
-
Select Add identity provider.
-
Choose OpenID Connect (OIDC).
-
Choose an OIDC identity provider from the IAM IdPs in your Amazon Web Services account. If you want to add a new SAML provider, choose Create new provider to navigate to the IAM console.
-
To set the role that Amazon Cognito requests when it issues credentials to users who have authenticated with this provider, configure Role settings.
-
You can assign users from that IdP the Default role that you set up when you configured your Authenticated role, or you can Choose role with rules.
-
If you chose Choose role with rules, enter the source Claim from your user's authentication, the Operator that you want to compare the claim by, the Value that will cause a match to this role choice, and the Role that you want to assign when the Role assignment matches. Select Add another to create an additional rule based on a different condition.
-
Choose a Role resolution. When your user's claims don't match your rules, you can deny credentials or issue credentials for your Authenticated role.
-
-
-
To change the principal tags that Amazon Cognito assigns when it issues credentials to users who have authenticated with this provider, configure Attributes for access control.
-
To apply no principal tags, choose Inactive.
-
To apply principal tags based on
sub
andaud
claims, choose Use default mappings. -
To create your own custom schema of attributes to principal tags, choose Use custom mappings. Then enter a Tag key that you want to source from each Claim that you want to represent in a tag.
-
-
Select Save changes.
You can associate multiple OpenID Connect providers with a single identity pool.
Using OpenID Connect
Refer to your provider's documentation for how to login and receive an ID token.
After you have a token, add the token to the logins map. Use the URI of your provider as the key.
Validating an OpenID Connect token
When you first integrate with Amazon Cognito, you might receive an InvalidToken
exception. It is important to understand how Amazon Cognito validates OpenID Connect (OIDC)
tokens.
Note
As specified here (https://tools.ietf.org/html/rfc7523
-
The
iss
parameter must match the key that the logins map uses (such as login.provider.com). -
The signature must be valid. The signature must be verifiable via an RSA public key.
-
The fingerprint of the certificate public key matches the fingerprint that you set in IAM when you created your OIDC provider.
-
If the
azp
parameter is present, check this value against listed client IDs in your OIDC provider. -
If the
azp
parameter isn't present, check theaud
parameter against listed client IDs in your OIDC provider.
The website jwt.io
Android
Map<String, String> logins = new HashMap<String, String>(); logins.put("login.provider.com", token); credentialsProvider.setLogins(logins);
iOS - Objective-C
credentialsProvider.logins = @{ "login.provider.com": token }
iOS - Swift
To provide the OIDC ID token to Amazon Cognito, implement the
AWSIdentityProviderManager
protocol.
When you implement the logins
method, return a dictionary that contains the
OIDC provider name that you configured. This dictionary acts as the key, and the current ID
token from the authenticated user acts as the value, as shown in the following code
example.
class OIDCProvider: NSObject, AWSIdentityProviderManager { func logins() -> AWSTask<NSDictionary> { let completion = AWSTaskCompletionSource<NSString>() getToken(tokenCompletion: completion) return completion.task.continueOnSuccessWith { (task) -> AWSTask<NSDictionary>? in //login.provider.name is the name of the OIDC provider as setup in the Amazon Cognito console return AWSTask(result:["login.provider.name":task.result!]) } as! AWSTask<NSDictionary> } func getToken(tokenCompletion: AWSTaskCompletionSource<NSString>) -> Void { //get a valid oidc token from your server, or if you have one that hasn't expired cached, return it //TODO code to get token from your server //... //if error getting token, set error appropriately tokenCompletion.set(error:NSError(domain: "OIDC Login", code: -1 , userInfo: ["Unable to get OIDC token" : "Details about your error"])) //else tokenCompletion.set(result:"result from server id token") } }
When you instantiate the AWSCognitoCredentialsProvider
, pass the class that
implements AWSIdentityProviderManager as the value of identityProviderManager
in the constructor. For more information, go to the AWSCognitoCredentialsProvider reference page and choose initWithRegionType:identityPoolId:identityProviderManager.
JavaScript
AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'IDENTITY_POOL_ID', Logins: { 'login.provider.com': token } });
Unity
credentials.AddLogin("login.provider.com", token);
Xamarin
credentials.AddLogin("login.provider.com", token);