Custom Login Flow: AWS Cognito SSO (via Passwordless Signin) - Is this possible?

I was able to enable SSO via AWS Cognito by following the steps here:

1. OpenID Connect Authentication Plugin
2. Anyone have a working AWS Cognito configuration w/ ouath2, openid or sso?

However, I am attempting to find ways to enable the same authentication flow in discourse that we have for our mobile and web app. Which is a custom auth flow via passwordless login (users enter their email, receive a verification code).

The expectation is that the SSO would work via this passwordless auth flow, instead of email/password. Since users aren’t using passwords on the main apps.

Any pointers on how to enable this functionality? Or whether this is possible?

Thank you.

Unless I’m missing something, that should work. Just have them go wherever it is to get the link sent and you should be logged in to Discourse. Does that not work? Or do you want to make Discourse send them to the place to request the link?

Hi Jay,

Thanks for the reply.

To clarify.

The flow on our app (not discourse) is passwordless - user enters email → receives a 6 digit code in email → enters code → signs in

To enable this we have lambda triggers that define/create and verify the auth challenges. Further, the ui is custom (i.e. not provided by aws amplify)

What we want is the discourse sign in process to be the same. I attempted to use the same cognito app client configuration for discourse but get this error page

(the network call isn’t very helpful from cognito about this error)

As a follow up to this if any one is interested:

We essentially had to setup an intermediate oauth server to handle the tokens inspired by this post:

We have a flask/python backend so ended up using: python-oauth2 · PyPI

TLDR: can’t do a passwordless setup using cognito using any default means, had to setup lightweight oauth ourselves.