AWS Cognito: Instructions on how to create a user pool, resource server and app clients

Owned by Dave Trier
Last updated: Jan 04, 2023 by Blagica
3 min read

ModelOp Center requires the following Amazon Cognito configurations when used with OAuth2:

  1. User pool

  2. Resource server

  3. App clients:

    1. gateway-service

    2. internal-client

    3. external-integration-client

User pool and gateway-service

Follow these steps to create the user pool and the gateway-service app client with the Amazon Cognito console:

  1. Open the Amazon Cognito console. If prompted, enter your AWS credentials

  2. In the upper left corner, choose “User pools”

  3. In the upper right corner, choose “Create user pool”

  4. Step 1: Configure sign-in experience

    1. Provider types:” Cognito user pool”

    2. Cognito user pool sign-in options: Choose

      1. User name

      2. Email

    3. User name requirements: Make your selection based on your company policy

  5. Step 2: Configure security requirements

    1. Password policy: Make your selection based on your company policy

    2. Multi-factor authentication: “No MFA”

    3. Use account recovery: 

      1. Choose “Enable self-service account recovery - Recommended”

      2. Delivery method for user account recovery messages: Choose “Email only”

  6. Step 3: Configure sign-up experience

    1. Self-registration: Make your selection based on your company policy

    2. Cognito-assisted verification and confirmation: Make your selection based on your company policy

    3. Verifying attribute changes: Make your selection based on your company policy

    4. Required attributes: Select

      1. name

      2. given_name

      3. family_name

      4. email

  7. Step 4: Configure message delivery

    1. Email: Make your selection based on your company policy or choose “Send email with Cognito”

  8. Step 5: Integrate your app

    1. User pool name: Enter a name for your user pool

    2. Hosted authentication pages: Choose “Use the Cognito Hosted UI”

    3. Domain: Choose “Use a Cognito domain” and enter a domain prefix

    4. Initial app client:

      1. App type: Choose “Confidential Client”

      2. App client name: Enter “gateway-service”

      3. Client secret: Choose “Generate a client secret”

      4. Allowed callback URLs: Enter “https://<ModelOp-Center-Env>/login/oauth2/code/gateway-service”

    5. Advanced app client settings:

      1. Authentication flows: Selected default values

      2. Refresh token expiration: Any

      3. Access token expiration: 480 minutes

      4. ID token expiration: 480 minutes

      5. Advanced security configurations: Choose

        1. Enable token revocation

        2. Prevent user existence errors

      6. Identity providers: Choose “Cognito user pool”

      7. OAuth2 2.0 Grant Types: Select “Authorization code grant”

      8. OpenID Connect scopes: Select

        1. OpenID

        2. Email

        3. Profile

      9. Allowed sign-out URL: Enter “https://<ModelOp-Center-Env>/”

  9. Step 6: Review and create

    1. Review the user pool configuration and choose “Create user pool”

Resource server

Follow these steps to create a resource server in your user pool with the Amazon Cognito console:

  1. Open the Amazon Cognito console. If prompted, enter your AWS credentials

  2. In the upper left corner, choose “User pools”

  3. Choose your existing user pool 

  4. Choose “App integration”

  5. Choose “Create resource server”

  6. Resource server:

    1. Enter a resource server name

    2. Enter a resource server identifier of rs

  7. Custom scopes: Enter a scope name of “modelop_client”

  8. Choose “Create resource server”

internal-client app

Follow these steps to create the internal-client app client in your user pool with the Amazon Cognito console:

  1. Open the Amazon Cognito console. If prompted, enter your AWS credentials

  2. In the upper left corner, choose “User pools”

  3. Choose your existing user pool

  4. Choose “App integration”

  5. Choose “Create app client”

  6. App client

    1. App type: “Confidential client”

    2. App client name: Enter “internal-client”

    3. Client secret: Choose “Generate a client secret”

    4. Authentication flows: Selected default values and ALLOW_USER_PASSWORD_AUTH

    5. Refresh token expiration: Any

    6. Access token expiration: 480 minutes

    7. ID token expiration: 480 minutes

    8. Advanced security configurations: Select

      1. Enable token revocation

      2. Prevent user existence errors

  7. Hosted UI settings

    1. Allowed callback URLs: None

    2. Allowed sign-out URLs - optional: None

    3. Identity providers: Select “Cognito user pool”

    4. OAuth 2.0 Grant Types: Select “Client credentials”

    5. Custom scopes: Select rs/modelop_client

    6. Attribute read and write permissions: Selected default values

    7. Choose “Create app client”

external-integration-client

Follow these steps to create the external-integration-client app client in your user pool with the Amazon Cognito console:

  1. Open the Amazon Cognito console. If prompted, enter your AWS credentials

  2. In the upper left corner, choose “User pools”

  3. Choose your existing user pool

  4. Choose “App integration”

  5. Choose “Create app client”

  6. App client

    1. App type: “Public client”

    2. App client name: Enter “external-integration-client”

    3. Client secret: Choose “Don’t generate a client secret”

    4. Authentication flows: Selected default values

    5. Refresh token expiration: Any

    6. Access token expiration: 480 minutes

    7. ID token expiration: 480 minutes

    8. Advanced security configurations: Select

      1. Enable token revocation

      2. Prevent user existence errors

  7. Hosted UI settings

    1. Allowed callback URLs: Enter:

      1. https://<ModelOp-Center-Env>/jupyterOauth2ImplicitGrant.html

      2. https://<ModelOp-Center-Env>/modelOpWDC.html

      3. https://oauth.powerbi.com/views/oauthredirect.html

    2. Allowed sign-out URLs - optional: None

    3. Identity providers: Select “Cognito user pool”

    4. OAuth 2.0 Grant Types: Select “Implicit grant” and “Authorization code grant”

    5. OpenID Connect scopes: Select 

      1. OpenID

      2. Email

      3. Profile

    6. Custom scopes: None

    7. Attribute read and write permissions: Selected default values

    8. Choose “Create app client”

Additional notes

Cognito users

Follow these steps to create a user in your user pool with the Amazon Cognito console:

  1. Open the Amazon Cognito console. If prompted, enter your AWS credentials

  2. In the upper left corner, choose “User pools”

  3. Choose your existing user pool

  4. Choose “Users”

  5. Choose “Create user”

  6. User information

    1. Alias attributes used to sign in: Choose

      1. User name

      2. Email

    2. Invitation message: Choose “Don't send an invitation”

    3. User name: Enter a user name

    4. Email address - optional: Enter an email address

    5. Select “Mark email address as verified”

    6. Temporary password: Choose “Set a password”

    7. Password: Enter a temporary password

    8. Choose “Create user”

Cognito groups

Follow these steps to create a group in your user pool with the Amazon Cognito console:

  1. Open the Amazon Cognito console. If prompted, enter your AWS credentials

  2. In the upper left corner, choose “User pools”

  3. Choose your existing user pool

  4. Choose “Groups”

  5. Choose “Create group”

  6. Group information

    1. Group name: Enter a group name

    2. Choose “Create group”

Assign Cognito user to a Cognito group

Follow these steps to assign a user to a group in your user pool with the Amazon Cognito console:

  1. Open the Amazon Cognito console. If prompted, enter your AWS credentials

  2. In the upper left corner, choose “User pools”

  3. Choose your existing user pool

  4. Choose “Groups”

  5. Choose an existing group

  6. Choose “Add user to group”

  7. Choose an existing user

  8. Choose “Add”