AWS Cognito: Instructions on how to create a user pool, resource server and app clients
ModelOp Center requires the following Amazon Cognito configurations when used with OAuth2:
User pool
Resource server
App clients:
gateway-service
internal-client
external-integration-client
User pool and gateway-service
Follow these steps to create the user pool and the gateway-service app client with the Amazon Cognito console:
Open the Amazon Cognito console. If prompted, enter your AWS credentials
In the upper left corner, choose “User pools”
In the upper right corner, choose “Create user pool”
Step 1: Configure sign-in experience
Provider types:” Cognito user pool”
Cognito user pool sign-in options: Choose
User name
Email
User name requirements: Make your selection based on your company policy
Step 2: Configure security requirements
Password policy: Make your selection based on your company policy
Multi-factor authentication: “No MFA”
Use account recovery:
Choose “Enable self-service account recovery - Recommended”
Delivery method for user account recovery messages: Choose “Email only”
Step 3: Configure sign-up experience
Self-registration: Make your selection based on your company policy
Cognito-assisted verification and confirmation: Make your selection based on your company policy
Verifying attribute changes: Make your selection based on your company policy
Required attributes: Select
name
given_name
family_name
email
Step 4: Configure message delivery
Email: Make your selection based on your company policy or choose “Send email with Cognito”
Step 5: Integrate your app
User pool name: Enter a name for your user pool
Hosted authentication pages: Choose “Use the Cognito Hosted UI”
Domain: Choose “Use a Cognito domain” and enter a domain prefix
Initial app client:
App type: Choose “Confidential Client”
App client name: Enter “gateway-service”
Client secret: Choose “Generate a client secret”
Allowed callback URLs: Enter “https://<ModelOp-Center-Env>/login/oauth2/code/gateway-service”
Advanced app client settings:
Authentication flows: Selected default values
Refresh token expiration: Any
Access token expiration: 480 minutes
ID token expiration: 480 minutes
Advanced security configurations: Choose
Enable token revocation
Prevent user existence errors
Identity providers: Choose “Cognito user pool”
OAuth2 2.0 Grant Types: Select “Authorization code grant”
OpenID Connect scopes: Select
OpenID
Email
Profile
Allowed sign-out URL: Enter “https://<ModelOp-Center-Env>/”
Step 6: Review and create
Review the user pool configuration and choose “Create user pool”
Resource server
Follow these steps to create a resource server in your user pool with the Amazon Cognito console:
Open the Amazon Cognito console. If prompted, enter your AWS credentials
In the upper left corner, choose “User pools”
Choose your existing user pool
Choose “App integration”
Choose “Create resource server”
Resource server:
Enter a resource server name
Enter a resource server identifier of
rs
Custom scopes: Enter a scope name of “modelop_client”
Choose “Create resource server”
internal-client app
Follow these steps to create the internal-client app client in your user pool with the Amazon Cognito console:
Open the Amazon Cognito console. If prompted, enter your AWS credentials
In the upper left corner, choose “User pools”
Choose your existing user pool
Choose “App integration”
Choose “Create app client”
App client
App type: “Confidential client”
App client name: Enter “internal-client”
Client secret: Choose “Generate a client secret”
Authentication flows: Selected default values and ALLOW_USER_PASSWORD_AUTH
Refresh token expiration: Any
Access token expiration: 480 minutes
ID token expiration: 480 minutes
Advanced security configurations: Select
Enable token revocation
Prevent user existence errors
Hosted UI settings
Allowed callback URLs: None
Allowed sign-out URLs - optional: None
Identity providers: Select “Cognito user pool”
OAuth 2.0 Grant Types: Select “Client credentials”
Custom scopes: Select
rs/modelop_client
Attribute read and write permissions: Selected default values
Choose “Create app client”
external-integration-client
Follow these steps to create the external-integration-client app client in your user pool with the Amazon Cognito console:
Open the Amazon Cognito console. If prompted, enter your AWS credentials
In the upper left corner, choose “User pools”
Choose your existing user pool
Choose “App integration”
Choose “Create app client”
App client
App type: “Public client”
App client name: Enter “external-integration-client”
Client secret: Choose “Don’t generate a client secret”
Authentication flows: Selected default values
Refresh token expiration: Any
Access token expiration: 480 minutes
ID token expiration: 480 minutes
Advanced security configurations: Select
Enable token revocation
Prevent user existence errors
Hosted UI settings
Allowed callback URLs: Enter:
https://<ModelOp-Center-Env>/jupyterOauth2ImplicitGrant.html
https://<ModelOp-Center-Env>/modelOpWDC.html
https://oauth.powerbi.com/views/oauthredirect.html
Allowed sign-out URLs - optional: None
Identity providers: Select “Cognito user pool”
OAuth 2.0 Grant Types: Select “Implicit grant” and “Authorization code grant”
OpenID Connect scopes: Select
OpenID
Email
Profile
Custom scopes: None
Attribute read and write permissions: Selected default values
Choose “Create app client”
Additional notes
Cognito users
Follow these steps to create a user in your user pool with the Amazon Cognito console:
Open the Amazon Cognito console. If prompted, enter your AWS credentials
In the upper left corner, choose “User pools”
Choose your existing user pool
Choose “Users”
Choose “Create user”
User information
Alias attributes used to sign in: Choose
User name
Email
Invitation message: Choose “Don't send an invitation”
User name: Enter a user name
Email address - optional: Enter an email address
Select “Mark email address as verified”
Temporary password: Choose “Set a password”
Password: Enter a temporary password
Choose “Create user”
Cognito groups
Follow these steps to create a group in your user pool with the Amazon Cognito console:
Open the Amazon Cognito console. If prompted, enter your AWS credentials
In the upper left corner, choose “User pools”
Choose your existing user pool
Choose “Groups”
Choose “Create group”
Group information
Group name: Enter a group name
Choose “Create group”
Assign Cognito user to a Cognito group
Follow these steps to assign a user to a group in your user pool with the Amazon Cognito console:
Open the Amazon Cognito console. If prompted, enter your AWS credentials
In the upper left corner, choose “User pools”
Choose your existing user pool
Choose “Groups”
Choose an existing group
Choose “Add user to group”
Choose an existing user
Choose “Add”