Integrate with Amazon Cognito
Amazon Cognito is a backend-as-a-service that lets you focus on developing the user experience for your application. To learn more and sign up for services, read Amazon Cognito.
Configure Amazon Web Services
Get Auth0 application details
First, you'll need to get some information about your application in Auth0:
Select your application, and then switch to the Settings view.
Record the Domain and the Client ID.
Create new OpenID Connect (OIDC) provider
In AWS, create a new identity provider (IdP):
Open the IAM Console, select Identity Providers in the left sidebar, and then select Create Provider.
Select OpenID Connect as the Provider Type.
For the Provider URL:
Enter your Domain into the Audience field.
Enter your Client ID into the ClientId field.
Use the certificate thumbprint to verify the server certificate of your IdP. To learn more, read Obtaining the Thumbprint for an OpenID Connect Identity Provider on AWS Docs.
Select Add Provider.
Navigate to your newly created provider and record the Provider ARN.
Get Auth0 tenant certificate thumbprint
Next, generate the certificate thumbprint for your Auth0 tenant:
Retrieve your Auth0 tenant's certificate chain.
Isolate the last certificate in the chain. This should be the certificate of your root Certificate Authority (CA).
Using the CA certificate, compute the fingerprint.
Convert the fingerprint to a thumbprint by removing all of the colon (
:
) characters.Use the computed thumbprint when calling the
aws iam create-open-id-connect-provider
command.
Create Identity Pool
Create an Identity Pool in AWS to allow Cognito to use the Auth0 OIDC identity provider for authentication:
Sign in to the Cognito Console.
Select Federated Identities.
For Identity Pool Name, specify a name for the pool (for example,
Auth0
).Under Authentication Providers, select the OpenID tab, then select the name of the provider you created in the previously.
Select Create Pool, and then select Allow to finish creating the new identity pool.
Under Dashboard, select Edit Identity Pool to view the Identity Pool ID.
Record the ARN of the IAM role that was automatically created. This value will be used when sending credentials to Cognito.
Configure Auth0
Cognito uses the public signing key from the OpenID Provider Metadata to validate the signature of the JSON Web Token (JWT).
Confirm that your Auth0 application is configured to use the RS256 signature algorithm:
Go to Auth0 Dashboard > Applications > Applications, select your application, and then switch to the Settings view.
Expand the Advanced Settings section, and then switch to the OAuth view.
Locate the JSON Web Token (JWT) Signature Algorithm field, and select RS256 from the dropdown menu.
Select Save Changes.
Implementation
You can use the Auth0 Lock SDK to integrate Auth0 within your application.
Once the user logs in with Auth0, the next step is to send their credentials to Cognito. To learn more, read Open ID Connect providers (identity pools) on AWS Docs.
Cognito takes the ID token a user receives from Auth0, and uses it to generate unique Cognito IDs. When the user logs in to Cognito through Auth0, you can store information in Cognito that only they can access.
Troubleshooting
"Invalid login token" error
If you receive a "Invalid login token" error, confirm that the Auth0 application is configured to use the RS256 signature algorithm:
Go to Auth0 Dashboard > Applications > Applications, select your application, and then switch to the Settings view.
Expand the Advanced Settings section, and then switch to the OAuth view.
Locate the JSON Web Token (JWT) Signature Algorithm field, and select RS256 from the dropdown menu.