AWS cognito documentation change
Summary
Restructured social IdP setup documentation with updated section headers, added provider-specific registration details, corrected OAuth endpoints, and enhanced testing instructions
Security assessment
Changes focus on improving documentation structure and accuracy (e.g., correct /oauth2/authorize endpoint). While they enhance security configuration guidance, there's no evidence of addressing specific vulnerabilities. Added details about client secrets and OAuth parameters support security best practices documentation.
Diff
diff --git a/cognito/latest/developerguide/cognito-user-pools-social-idp.md b/cognito/latest/developerguide/cognito-user-pools-social-idp.md index 31caae2e9..77bb6a628 100644 --- a/cognito/latest/developerguide/cognito-user-pools-social-idp.md +++ b/cognito/latest/developerguide/cognito-user-pools-social-idp.md @@ -5 +5 @@ -PrerequisitesRegister with a social IdPAdd a social IdP to your user poolTest your social IdP configuration +Set up a developer appConfigure your user poolTest social sign-in @@ -21 +21 @@ Sign-in through a third party (federation) is available in Amazon Cognito user p - * Prerequisites + * Set up a social IdP developer account and application @@ -23 +23 @@ Sign-in through a third party (federation) is available in Amazon Cognito user p - * Step 1: Register with a social IdP + * Configure your user pool with a social IdP @@ -25 +25 @@ Sign-in through a third party (federation) is available in Amazon Cognito user p - * Step 2: Add a social IdP to your user pool + * Test your social IdP configuration @@ -27 +26,0 @@ Sign-in through a third party (federation) is available in Amazon Cognito user p - * Step 3: Test your social IdP configuration @@ -30,0 +30 @@ Sign-in through a third party (federation) is available in Amazon Cognito user p +## Set up a social IdP developer account and application @@ -32,8 +32 @@ Sign-in through a third party (federation) is available in Amazon Cognito user p -## Prerequisites - -Before you begin, you need the following: - - * A user pool with an app client and a user pool domain. For more information, see [Create a user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-as-user-directory.html). - - * A social IdP. - +Before you create a social IdP with Amazon Cognito, you must register your application with the social IdP to receive a client ID and client secret. @@ -40,0 +34 @@ Before you begin, you need the following: +Facebook @@ -43 +37 @@ Before you begin, you need the following: -## Step 1: Register with a social IdP +For the latest information about configuration of Meta developer accounts and authentication, see [Meta App Development](https://developers.facebook.com/docs/development). @@ -45 +39 @@ Before you begin, you need the following: -Before you create a social IdP with Amazon Cognito, you must register your application with the social IdP to receive a client ID and client secret. +###### How to register an application with Facebook/Meta @@ -89,0 +84,7 @@ Enter the path to the `/oauth2/idpresponse` endpoint for your user pool domain i +Login with Amazon + + +For the latest information about configuration of Login with Amazon developer accounts and authentication, see [Login with Amazon Documentation](https://developer.amazon.com/docs/login-with-amazon/documentation-overview.html). + +###### How to register an application with Login with Amazon + @@ -120,0 +122,3 @@ Choose **Apps and Services** from navigation bar at the top of the page and then +Google + + @@ -122,0 +127,2 @@ For more information about OAuth 2.0 in the Google Cloud platform, see [Learn ab +###### How to register an application with Google + @@ -167,0 +174,3 @@ For more information about OAuth 2.0 in the Google Cloud platform, see [Learn ab +Sign in with Apple + + @@ -169,0 +179,2 @@ For the most up-to-date information about setting up Sign in with Apple, see [Co +###### How to register an application with Sign in with Apple (SIWA) + @@ -188 +199 @@ For the most up-to-date information about setting up Sign in with Apple, see [Co - 2. Under **App ID Prefix** , enter a **Bundle ID**. Make a note of the value under **App ID Prefix**. You will use this value after you choose Apple as your identity provider in Step 2: Add a social IdP to your user pool. + 2. Under **App ID Prefix** , enter a **Bundle ID**. Make a note of the value under **App ID Prefix**. You will use this value after you choose Apple as your identity provider in Configure your user pool with a social IdP. @@ -206 +217 @@ For the most up-to-date information about setting up Sign in with Apple, see [Co - 2. Under **Identifier** , type an identifier. Make a note of this Services ID as you will need this value after you choose Apple as your identity provider in Step 2: Add a social IdP to your user pool. + 2. Under **Identifier** , type an identifier. Make a note of this Services ID as you will need this value after you choose Apple as your identity provider in Configure your user pool with a social IdP. @@ -244 +255 @@ For the most up-to-date information about setting up Sign in with Apple, see [Co - 17. On the **Download Your Key** page, choose **Download** to download the private key and note the **Key ID** shown, and then choose **Done**. You will need this private key and the **Key ID** value shown on this page after you choose Apple as your identity provider in Step 2: Add a social IdP to your user pool. + 17. On the **Download Your Key** page, choose **Download** to download the private key and note the **Key ID** shown, and then choose **Done**. You will need this private key and the **Key ID** value shown on this page after you choose Apple as your identity provider in Configure your user pool with a social IdP. @@ -249 +260 @@ For the most up-to-date information about setting up Sign in with Apple, see [Co -## Step 2: Add a social IdP to your user pool +## Configure your user pool with a social IdP @@ -303 +314 @@ With Sign in with Apple, the following are user scenarios where scopes might not -## Step 3: Test your social IdP configuration +## Test your social IdP configuration @@ -305 +316 @@ With Sign in with Apple, the following are user scenarios where scopes might not -You can create a login URL by using the elements from the previous two sections. Use it to test your social IdP configuration. +In your application, you must invoke a browser in the user's client so that they can sign in with their social provider. Test sign-in with your social provider after you have completed the setup procedures in the preceding sections. The following example URL loads the sign-in page for your user pool with a prefix domain. @@ -308 +319 @@ You can create a login URL by using the elements from the previous two sections. - https://mydomain.auth.us-east-1.amazoncognito.com/login?response_type=code&client_id=1example23456789&redirect_uri=https://www.example.com + https://mydomain.auth.us-east-1.amazoncognito.com/oauth2/authorize?response_type=code&client_id=1example23456789&redirect_uri=https://www.example.com @@ -311 +322 @@ You can create a login URL by using the elements from the previous two sections. -You can find your domain on the user pool **Domain name** console page. The client_id is on the **App client settings** page. Use your callback URL for the **redirect_uri** parameter. This is the URL of the page where your user will be redirected after a successful authentication. +This link is the page that Amazon Cognito directs you to when you go to the **App clients** menu, select an app client, navigate to the **Login pages** tab, and select **View login page**. For more information about user pool domains, see [Configuring a user pool domain](./cognito-user-pools-assign-domain.html). For more information about app clients, including client IDs and callback URLs, see [Application-specific settings with app clients](./user-pool-settings-client-apps.html). @@ -313 +324,4 @@ You can find your domain on the user pool **Domain name** console page. The clie -###### Note +The following example link sets up silent redirect to a social provider from the [Authorize endpoint](./authorization-endpoint.html) with an `identity_provider` query parameter. This URL bypasses interactive user pool sign-in with managed login and goes directly to the IdP sign-in page. + + + https://mydomain.auth.us-east-1.amazoncognito.com/oauth2/authorize?identity_provider=Facebook|Google|LoginWithAmazon|SignInWithApple&response_type=code&client_id=1example23456789&redirect_uri=https://www.example.com @@ -315 +328,0 @@ You can find your domain on the user pool **Domain name** console page. The clie -Amazon Cognito cancels authentication requests that do not complete within 5 minutes, and redirects the user to managed login. The page displays a `Something went wrong` error message.