Anyone have a working AWS Cognito configuration w/ ouath2, openid or sso?

For AWS Cognito as an identity provider for OpenID Connect plugin

  1. Click on Create a User Pool button within AWS Cognito web console
  2. click on Review Defaults to use mostly the default settings
    2a. before creating the pool make sure to click on “Add an App Client”
    2b. create an App Client; give it a name and uncheck everything except Enable refresh token based authentication (ALLOW_REFRESH_TOKEN_AUTH)


3. Click Create pool
4. Now under General Settings on the left menu you should click on App Client and take note of the values for App client id & App client secret
5. Next under to App integration on the left menu you should click on Domain name. Enter a subdomain here. The name here will be the domain that users get routed here when they login.

6. At the top left of the AWS Cognito Console - click on the Federated Identities, it’s a bit hard to find.
federated-identities
7. Once there click on Create new identity pool
8. Give the identity pool a name
8b. Under the Authentication providers section use the User Pool ID from the previously created User pool & the App client id from the previously created App client.


9. Click Create Pool & Allow the console to create the IAM roles to use with the new identity pool
10. At this point you’ve got pretty much everything you should need to get going with setting up your Discourse instance with the correct site settings. assuming you’ve installed the plugin.

openid connect enabled: enable this
openid connect client id: use the App Client Id we retrieved above in the earlier steps
openid connect client secret: use the App Client Secret we saw above in the earlier steps
openid connect discovery document: the link for the discovery document URL follows the format below… you can see the format for userPoolId above in the screenshot with step 8b…

https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/openid-configuration

to check that you have the URL format correct - just try to paste into your browser and you should get a nice json that returns the authorization endpoint, issuer, and other things.

openid connect authorize scope: openid email


Other things that may be useful

7 Likes