Amazon Cognito: How-to

Owned by Dave Trier
Apr 01, 2024
3 min read

Create a user pool and the gateway-service app client

  1. Open the Amazon Cognito console. If prompted, enter your AWS credentials

  2. In the upper left corner, choose “User pools”

  3. In the upper right corner, choose “Create user pool”

  4. Step 1: Configure sign-in experience

    1. Provider types: ”Cognito user pool”

    2. Cognito user pool sign-in options: Choose

      1. User name

      2. Email

    3. User name requirements: Make your selection based on your company policy

  5. Step 2: Configure security requirements

    1. Password policy: Make your selection based on your company policy

    2. Multi-factor authentication: “No MFA”

    3. Use account recovery: 

      1. Choose “Enable self-service account recovery - Recommended”

      2. Delivery method for user account recovery messages: Choose “Email only”

  6. Step 3: Configure sign-up experience

    1. Self-registration: Make your selection based on your company policy

    2. Cognito-assisted verification and confirmation: Make your selection based on your company policy

    3. Verifying attribute changes: Make your selection based on your company policy

    4. Required attributes: Select

      1. name

      2. given_name

      3. family_name

      4. email

  7. Step 4: Configure message delivery

    1. Email: Make your selection based on your company policy or choose “Send email with Cognito”

  8. Step 5: Integrate your app

    1. User pool name: Enter a name for your user pool

    2. Hosted authentication pages: Choose “Use the Cognito Hosted UI”

    3. Domain: Choose “Use a Cognito domain” and enter a domain prefix

    4. Initial app client:

      1. App type: Choose “Confidential Client”

      2. App client name: Enter gateway-service

      3. Client secret: Choose “Generate a client secret”

      4. Allowed callback URLs: Enter <ModelOp Center URL>/login/oauth2/code/gateway-service

    5. Advanced app client settings:

      1. Authentication flows: Selected default values

      2. Refresh token expiration: Any

      3. Access token expiration: 480 minutes

      4. ID token expiration: 480 minutes

      5. Advanced security configurations: Choose

        1. Enable token revocation

        2. Prevent user existence errors

      6. Identity providers: Choose “Cognito user pool”

      7. OAuth2 2.0 Grant Types: Select “Authorization code grant”

      8. OpenID Connect scopes: Select

        1. OpenID

        2. Email

        3. Profile

      9. Allowed sign-out URL: Enter <ModelOp Center URL>/

  9. Step 6: Review and create

    1. Review the user pool configuration and choose “Create user pool”

Create a resource server

  1. Open the Amazon Cognito console. If prompted, enter your AWS credentials

  2. In the upper left corner, choose “User pools”

  3. Choose your existing user pool 

  4. Choose “App integration”

  5. Choose “Create resource server”

  6. Resource server:

    1. Enter a resource server name

    2. Enter a resource server identifier of rs

  7. Custom scopes: Enter a scope name of modelop_client

  8. Choose “Create resource server”

Create the internal-client app client

  1. Open the Amazon Cognito console. If prompted, enter your AWS credentials

  2. In the upper left corner, choose “User pools”

  3. Choose your existing user pool

  4. Choose “App integration”

  5. Choose “Create app client”

  6. App client

    1. App type: “Confidential client”

    2. App client name: Enter internal-client

    3. Client secret: Choose “Generate a client secret”

    4. Authentication flows: Selected default values and ALLOW_USER_PASSWORD_AUTH

    5. Refresh token expiration: Any

    6. Access token expiration: 480 minutes

    7. ID token expiration: 480 minutes

    8. Advanced security configurations: Select

      1. Enable token revocation

      2. Prevent user existence errors

  7. Hosted UI settings

    1. Allowed callback URLs: None

    2. Allowed sign-out URLs - optional: None

    3. Identity providers: Select “Cognito user pool”

    4. OAuth 2.0 Grant Types: Select “Client credentials”

    5. Custom scopes: Select rs/modelop_client

    6. Attribute read and write permissions: Selected default values

    7. Choose “Create app client”

Create the external-integration-client app client

  1. Open the Amazon Cognito console. If prompted, enter your AWS credentials

  2. In the upper left corner, choose “User pools”

  3. Choose your existing user pool

  4. Choose “App integration”

  5. Choose “Create app client”

  6. App client

    1. App type: “Public client”

    2. App client name: Enter external-integration-client

    3. Client secret: Choose “Don’t generate a client secret”

    4. Authentication flows: Selected default values

    5. Refresh token expiration: Any

    6. Access token expiration: 480 minutes

    7. ID token expiration: 480 minutes

    8. Advanced security configurations: Select

      1. Enable token revocation

      2. Prevent user existence errors

  7. Hosted UI settings

    1. Allowed callback URLs: Enter:

      1. <ModelOp Center URL>/jupyterOauth2ImplicitGrant.html

      2. <ModelOp Center URL>/modelOpWDC.html

      3. https://oauth.powerbi.com/views/oauthredirect.html

    2. Allowed sign-out URLs - optional: None

    3. Identity providers: Select “Cognito user pool”

    4. OAuth 2.0 Grant Types: Select “Implicit grant”

    5. OpenID Connect scopes: Select 

      1. OpenID

      2. Email

      3. Profile

    6. Custom scopes: None

    7. Attribute read and write permissions: Selected default values

    8. Choose “Create app client”

Additional notes

Create Amazon Cognito users

  1. Open the Amazon Cognito console. If prompted, enter your AWS credentials

  2. In the upper left corner, choose “User pools”

  3. Choose your existing user pool

  4. Choose “Users”

  5. Choose “Create user”

  6. User information

    1. Alias attributes used to sign in: Choose

      1. User name

      2. Email

    2. Invitation message: Choose “Don't send an invitation”

    3. User name: Enter a user name

    4. Email address - optional: Enter an email address

    5. Select “Mark email address as verified”

    6. Temporary password: Choose “Set a password”

    7. Password: Enter a temporary password

    8. Choose “Create user”

Create Amazon Cognito groups

  1. Open the Amazon Cognito console. If prompted, enter your AWS credentials

  2. In the upper left corner, choose “User pools”

  3. Choose your existing user pool

  4. Choose “Groups”

  5. Choose “Create group”

  6. Group information

    1. Group name: Enter a group name

    2. Choose “Create group”

Assign Amazon Cognito user to an Amazon Cognito group

  1. Open the Amazon Cognito console. If prompted, enter your AWS credentials

  2. In the upper left corner, choose “User pools”

  3. Choose your existing user pool

  4. Choose “Groups”

  5. Choose an existing group

  6. Choose “Add user to group”

  7. Choose an existing user

  8. Choose “Add”