Integrate with Amazon Cognito

Amazon Cognito is a backend-as-a-service that lets you focus on developing the user experience for your application. To learn more and sign up for services, read Amazon Cognito.

First, you'll need to get some information about your application in Auth0:

1. Go to Auth0 Dashboard > Applications > Applications.

2. Select your application, and then switch to the Settings view.

3. Record the Domain and the Client ID.

In AWS, create a new identity provider (IdP):

1. Open the IAM Console, select Identity Providers in the left sidebar, and then select Create Provider.

2. Select OpenID Connect as the Provider Type.

3. For the Provider URL:

   1. Enter your Domain into the Audience field.

   2. Enter your Client ID into the ClientId field.

4. Use the certificate thumbprint to verify the server certificate of your IdP. To learn more, read Obtaining the Thumbprint for an OpenID Connect Identity Provider on AWS Docs.

5. Select Add Provider.

6. Navigate to your newly created provider and record the Provider ARN.

Next, generate the certificate thumbprint for your Auth0 tenant:

1. Retrieve your Auth0 tenant's certificate chain.

2. Isolate the last certificate in the chain. This should be the certificate of your root Certificate Authority (CA).

3. Using the CA certificate, compute the fingerprint.

4. Convert the fingerprint to a thumbprint by removing all of the colon (:) characters.

5. Use the computed thumbprint when calling the aws iam create-open-id-connect-provider command.

Create an Identity Pool in AWS to allow Cognito to use the Auth0 OIDC identity provider for authentication:

1. Sign in to the Cognito Console.

2. Select Federated Identities.

3. For Identity Pool Name, specify a name for the pool (for example, Auth0).

4. Under Authentication Providers, select the OpenID tab, then select the name of the provider you created in the previously.

5. Select Create Pool, and then select Allow to finish creating the new identity pool.

6. Under Dashboard, select Edit Identity Pool to view the Identity Pool ID.

7. Record the ARN of the IAM role that was automatically created. This value will be used when sending credentials to Cognito.

Cognito uses the public signing key from the OpenID Provider Metadata to validate the signature of the JSON Web Token (JWT).

Confirm that your Auth0 application is configured to use the RS256 signature algorithm:

1. Go to Auth0 Dashboard > Applications > Applications, select your application, and then switch to the Settings view.

2. Expand the Advanced Settings section, and then switch to the OAuth view.

3. Locate the JSON Web Token (JWT) Signature Algorithm field, and select RS256 from the dropdown menu.

4. Select Save Changes.

You can use the Auth0 Lock SDK to integrate Auth0 within your application.

Once the user logs in with Auth0, the next step is to send their credentials to Cognito. To learn more, read Open ID Connect providers (identity pools) on AWS Docs.

Cognito takes the ID token a user receives from Auth0, and uses it to generate unique Cognito IDs. When the user logs in to Cognito through Auth0, you can store information in Cognito that only they can access.

If you receive a "Invalid login token" error, confirm that the Auth0 application is configured to use the RS256 signature algorithm:

1. Go to Auth0 Dashboard > Applications > Applications, select your application, and then switch to the Settings view.

2. Expand the Advanced Settings section, and then switch to the OAuth view.

3. Locate the JSON Web Token (JWT) Signature Algorithm field, and select RS256 from the dropdown menu.