Overview This post explains the complete OIDC Authorization Code flow when a user logs in via an external IdP (like Google) through Cognito User Pool. The Complete Flow ┌──────────┐ ┌─────────────┐ ┌─────────────────┐ ┌──────────┐ │ Browser │ │ Your App │ │ Cognito │ │ Google │ │ │ │ (Backend) │ │ User Pool │ │ IdP │ └────┬─────┘ └──────┬──────┘ └────────┬────────┘ └────┬─────┘ │ │ │ │ │ 1. Click "Login with Google" │ │ │──────────────────>│ │ │ │ │ │ │ │ 2. Redirect to Cognito │ │ │<──────────────────│ │ │ │ │ │ │ │ 3. Browser goes to Cognito /oauth2/authorize │ │─────────────────────────────────────────>│ │ │ │ │ │ │ 4. Cognito redirects to Google │ │ │<─────────────────────────────────────────│ │ │ │ │ │ │ 5. Browser goes to Google login │ │ │───────────────────────────────────────────────────────────────>│ │ │ │ │ │ 6. User enters credentials │ │ │───────────────────────────────────────────────────────────────>│ │ │ │ │ │ 7. Google redirects with code │ │ │<───────────────────────────────────────────────────────────────│ │ │ │ │ │ 8. Browser goes to Cognito /oauth2/idpresponse │ │─────────────────────────────────────────>│ │ │ │ │ │ │ │ 9. Cognito exchanges code with Google │ │ │ │───────────────────>│ │ │ │<───────────────────│ │ │ │ │ │ │ 10. Cognito validates Google's tokens │ │ │ 11. Cognito creates/updates user │ │ │ 12. Cognito generates its own auth code │ │ │ │ │ │ 13. Cognito redirects with Cognito code │ │ │<─────────────────────────────────────────│ │ │ │ │ │ │ 14. Browser goes to your app /callback │ │ │───────────────────> │ │ │ │ │ │ │ │ 15. App exchanges Cognito code for tokens │ │ │─────────────────────>│ │ │ │<─────────────────────│ │ │ │ │ │ │ 16. App stores tokens, user logged in │ │ │<──────────────────│ │ │ Step-by-Step Details Step 3: Browser to Cognito GET https://your-domain.auth.us-east-1.amazoncognito.com/oauth2/authorize ?client_id=abc123clientid &response_type=code &scope=openid email profile &redirect_uri=https://yourapp.com/callback &identity_provider=Google Parameter Purpose client_id Your Cognito App Client ID response_type=code Request authorization code (not tokens directly) scope What user info to request redirect_uri Where Cognito sends user after authentication identity_provider Skip Cognito hosted UI, go directly to Google Step 5: Browser to Google GET https://accounts.google.com/o/oauth2/v2/auth ?client_id=google-client-id.apps.googleusercontent.com &response_type=code &scope=openid email profile &redirect_uri=https://your-domain.auth.us-east-1.amazoncognito.com/oauth2/idpresponse &state=xyz789 Note: redirect_uri points back to Cognito, not your app. ...

What is AWS Systems Manager? A collection of tools to manage and operate your infrastructure (EC2, on-premises servers, containers) at scale. Core concept: SSM Agent runs on your instances and communicates with SSM service—no inbound ports needed. Key Capabilities Category Capability What it does Node Management Fleet Manager View and manage all servers from one console Session Manager SSH/RDP without opening ports or managing keys Run Command Execute scripts on multiple instances at once Patch Manager Automate OS and application patching State Manager Keep instances in a defined configuration state Operations OpsCenter Central place to view and resolve operational issues Incident Manager Manage and respond to incidents Explorer Dashboard showing operational data across accounts Application Management Parameter Store Store config values and secrets (free tier available) AppConfig Deploy application configuration safely with rollback Change Management Automation Run multi-step runbooks Change Manager Approve and track operational changes Maintenance Windows Schedule operations during defined time windows Run Command Execute commands on multiple instances without SSH. ...

What is AWS CodeDeploy? AWS CodeDeploy is a deployment service that automates application deployments to EC2 instances, on-premises servers, Lambda functions, or ECS services. Key Concepts Application A name that uniquely identifies the application you want to deploy. Container for deployment groups and revisions. Deployment Group Set of instances or Lambda functions where new revision is deployed. Includes deployment configuration and optional load balancer. Deployment Configuration Rules controlling deployment speed and pattern (e.g., deploy to 50% of instances at a time). ...