AWS Cognito Integration
This document provides a step-by-step guide to configure AWS Cognito as a Custom Identity Provider (IDP) using the OAuth workflow with your LoginRadius application.
Key Features
-
OAuth 2.0 based secure login with AWS Cognito
-
LoginRadius as the unified authentication interface
-
Field-level user data mapping and transformation
-
Works seamlessly with IDX and LoginRadius V2.js
Use-Cases
-
Extend LoginRadius authentication to include AWS Cognito-managed users.
-
Enable federated access for customers or partners already using Cognito.
-
Centralize analytics and access control in LoginRadius while maintaining user pools in AWS.
Configuration
As a part of configuration kindly follow the below steps to set up AWS Cognito:
-
Log into AWS Console → Go to Services > Cognito
-
Create a User Pool and define attributes like email, phone, etc.
-
Add an App Client (disable client secret for SPAs, enable for server apps)
-
Set up a domain name under the domain section.
-
In App client settings, enable OAuth 2.0 flows and add the LoginRadius callback URL:
https://<APP_NAME>.hub.loginradius.com:443/socialauth/validate.sauth-
Create a test user under Users and Groups for verification.
-
Note down:
-
Domain name: e.g.,
https://testlr.auth.us-east-1.amazoncognito.com -
App Client ID and Secret
-
Once you finish setting up the AWS Cognito, start configuring the setup in LoginRadius by following the below steps:
- Go to Authentication > Custom IDPs
- Click Add Custom IDP → Select Custom OAuth Provider and fill in the following:
| Field | Value |
|---|---|
| Provider Name | e.g., awscognito |
| Customer Login Endpoint | https://<your_domain>/oauth2/authorize |
| Access Token Endpoint | https://<your_domain>/oauth2/token |
| Application Key | Cognito App Client ID |
| Application Secret | Cognito App Client Secret |
| Scope | openid email |
| Response Type | code |
| Customer Profile Endpoint | https://<your_domain>/oauth2/userInfo |
| Request Token HTTP Method | POST |
- Header:
| Key | Value |
|---|---|
| Authorization | Bearer #accesstoken# |
- Data Mapping:
| Field | Value |
|---|---|
| ID | sub |
- Click Save to complete the setup.
Integration Details
To verify the configuration:
-
Go to
https://<APP_NAME>.hub.loginradius.com/ -
Click on the AWS Cognito login option.
-
You’ll be redirected to the Cognito login page.
-
Enter credentials for your test user.
-
Upon success, the user is redirected to LoginRadius IDX with a valid session.
Best Practices
-
Always use secure HTTPS for all endpoint URLs
-
Use dedicated user pools for each environment (dev, staging, prod)
-
Keep your App Client secrets secure and rotate them periodically.
-
Restrict scopes to only required fields (e.g.,
email openid) -
Test thoroughly using sandbox user pools before production rollout.
Related Resources
AliPay Integration
Enable AliPay login with LoginRadius for seamless authentication. Retrieve user info like ID, avatar, nickname, and more from the AliPay identity provider.
Auth0 Integration
Integrate Auth0 as a custom IDP in LoginRadius to enable OAuth 2.0 federated login, centralized identity management, and enhanced security controls.