OIDC

What is an IAM Identity Provider? An IAM Identity Provider is a configuration in AWS that tells IAM “trust this external identity system.” It lets users authenticated by external systems (Google, Okta, GitHub Actions, etc.) get temporary AWS credentials without creating IAM users. Key Concepts Concept What it is Identity Provider (IdP) External system that authenticates users (Google, Okta, Azure AD, etc.) Service Provider (SP) System that trusts the IdP and provides resources (AWS in this case) Federation Linking identities across different systems—user logs in once, accesses multiple systems Trust Relationship AWS saying “I believe what this IdP tells me about users” OIDC Provider IAM entity for trusting OpenID Connect-based IdPs SAML Provider IAM entity for trusting SAML 2.0-based IdPs OIDC vs SAML OIDC (OpenID Connect): Modern, JSON/REST-based protocol—used by web apps, mobile apps, and programmatic access (GitHub Actions, EKS pods, Cognito) SAML 2.0: XML-based enterprise protocol—used for browser-based SSO to AWS Console (Okta, Azure AD, corporate SSO) Trust Anchor When you create an IAM Identity Provider, you get: ...

Overview This post explains the complete OIDC Authorization Code flow when a user logs in via an external IdP (like Google) through Cognito User Pool. The Complete Flow ┌──────────┐ ┌─────────────┐ ┌─────────────────┐ ┌──────────┐ │ Browser │ │ Your App │ │ Cognito │ │ Google │ │ │ │ (Backend) │ │ User Pool │ │ IdP │ └────┬─────┘ └──────┬──────┘ └────────┬────────┘ └────┬─────┘ │ │ │ │ │ 1. Click "Login with Google" │ │ │──────────────────>│ │ │ │ │ │ │ │ 2. Redirect to Cognito │ │ │<──────────────────│ │ │ │ │ │ │ │ 3. Browser goes to Cognito /oauth2/authorize │ │─────────────────────────────────────────>│ │ │ │ │ │ │ 4. Cognito redirects to Google │ │ │<─────────────────────────────────────────│ │ │ │ │ │ │ 5. Browser goes to Google login │ │ │───────────────────────────────────────────────────────────────>│ │ │ │ │ │ 6. User enters credentials │ │ │───────────────────────────────────────────────────────────────>│ │ │ │ │ │ 7. Google redirects with code │ │ │<───────────────────────────────────────────────────────────────│ │ │ │ │ │ 8. Browser goes to Cognito /oauth2/idpresponse │ │─────────────────────────────────────────>│ │ │ │ │ │ │ │ 9. Cognito exchanges code with Google │ │ │ │───────────────────>│ │ │ │<───────────────────│ │ │ │ │ │ │ 10. Cognito validates Google's tokens │ │ │ 11. Cognito creates/updates user │ │ │ 12. Cognito generates its own auth code │ │ │ │ │ │ 13. Cognito redirects with Cognito code │ │ │<─────────────────────────────────────────│ │ │ │ │ │ │ 14. Browser goes to your app /callback │ │ │───────────────────> │ │ │ │ │ │ │ │ 15. App exchanges Cognito code for tokens │ │ │─────────────────────>│ │ │ │<─────────────────────│ │ │ │ │ │ │ 16. App stores tokens, user logged in │ │ │<──────────────────│ │ │ Step-by-Step Details Step 3: Browser to Cognito GET https://your-domain.auth.us-east-1.amazoncognito.com/oauth2/authorize ?client_id=abc123clientid &response_type=code &scope=openid email profile &redirect_uri=https://yourapp.com/callback &identity_provider=Google Parameter Purpose client_id Your Cognito App Client ID response_type=code Request authorization code (not tokens directly) scope What user info to request redirect_uri Where Cognito sends user after authentication identity_provider Skip Cognito hosted UI, go directly to Google Step 5: Browser to Google GET https://accounts.google.com/o/oauth2/v2/auth ?client_id=google-client-id.apps.googleusercontent.com &response_type=code &scope=openid email profile &redirect_uri=https://your-domain.auth.us-east-1.amazoncognito.com/oauth2/idpresponse &state=xyz789 Note: redirect_uri points back to Cognito, not your app. ...