For AWS Cognito as an identity provider for OpenID Connect plugin
- Click on Create a User Pool button within AWS Cognito web console
- click on Review Defaults to use mostly the default settings
2a. before creating the pool make sure to click on “Add an App Client”
2b. create an App Client; give it a name and uncheck everything exceptEnable refresh token based authentication (ALLOW_REFRESH_TOKEN_AUTH)
3. Click Create pool
4. Now under General Settings on the left menu you should click on App Client and take note of the values for
App client id
& App client secret
5. Next under to App integration on the left menu you should click on Domain name. Enter a subdomain here. The name here will be the domain that users get routed here when they login.
6. At the top left of the AWS Cognito Console - click on the Federated Identities, it’s a bit hard to find.
7. Once there click on
Create new identity pool
8. Give the identity pool a name
8b. Under the
Authentication providers
section use the User Pool ID from the previously created User pool & the App client id from the previously created App client.
9. Click Create Pool & Allow the console to create the IAM roles to use with the new identity pool
10. At this point you’ve got pretty much everything you should need to get going with setting up your Discourse instance with the correct site settings. assuming you’ve installed the plugin.
openid connect enabled: enable this
openid connect client id: use the App Client Id
we retrieved above in the earlier steps
openid connect client secret: use the App Client Secret
we saw above in the earlier steps
openid connect discovery document: the link for the discovery document URL follows the format below… you can see the format for userPoolId
above in the screenshot with step 8b…
https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/openid-configuration
to check that you have the URL format correct - just try to paste into your browser and you should get a nice json that returns the authorization endpoint, issuer, and other things.
openid connect authorize scope: openid email
Other things that may be useful
- Stackoverflow: context on the URL format for Discovery Document URL
- Stackoverflow: if you get a regex matching error when you check the discovery document URL check if you used the wrong format instead of the User Pool Id in the discovery document URL.
- Stackoverflow: make sure to set up the domain name or you’ll get this issue