Amazon Cognito User Pools Setup
A user pool is a secured user directory that provides
sign-in, and sign-up options for your web and mobile
application users. Every user, whether they are signed
in directly or using a third-party identity provider,
has a profile directory that can be accessed with the
use of an SDK. User pools are fully managed services
that scale to support hundreds of millions of users.
In this tutorial, we will do the following:
- Create and setup user pools.
- Sign up and sign in a user using Cognito UI.
We assume that you have an AWS account. Follow the steps below to complete this tutorial:
Create a User Pool
Login to the AWS Management Console and open the AWS
Cognito console at
- Choose Manage User Pools.
- On the User Pools page, choose Create a user pool.
- On Create a user pool page, enter a name for your user pool and choose Review defaults to save the user pool name.
- On the Review page, choose Create pool.
Configure App Client
An app client generates a unique App client ID and App clinet sercet which is needed to access the user pool. To configure a user pool app client, do the following:
- On the left navigation bar, under General Settings, choose App clients.
- Enter a App client name of your choice.
- Specify the app's Refresh token expiration. The default value is 30 days. We can change it from 60 minutes to 10 years.
- Specify the app's Access token expiration. The default value is 60 minutes. We can change it from 60 minutes to 1 day.
- Specify the app's ID token expiration. The default value is 60 minutes. We can change it from 5 minutes to 1 day.
- Uncheck Generate client secret.
- Under Auth Flows Configuration, check Enable username password auth for admin APIs for authentication (ALLOW_ADMIN_USER_PASSWORD_AUTH). Enabling this option will allow sign-up, sign-in of users programatically from our application.
- Leave other settings as it is and choose Create app client.
- On the left navigation bar, under App integration, choose App client settings.
- Select Cognito User Pool as your Enabled Identity Providers.
- Enter a callback URL where you want your users to be redirected after a successful sign-in.
- Under Allowed OAuth Flows, select both Authorization code grant and Implicit grant.
Select the checkboxes for all Allowed OAuth Scopes, unless you explicitly want to exclude one.
Refer to the image below for example:
- Choose Save changes.
- From the left navigation bar, go to Domain name.
- Enter a unique domain name of your choice and check for availability.
- Choose Save changes.
- From the left navigation bar, go to App integration.
- Copy Domain to your browser and append /login?response_type=token&client_id=&redirect_uri= parameters to it:
<https://www.your.domain>/login?response_type=token&client_id=<your client id>&redirect_uri=<https://www.your.redirect.uri>
Do not forget to replace the value of client_id and redirect_uri. To get your client Id, go to App clients on the left navigation bar.
The value of redirect_uri should be the URL where you want your users to be redirected after a successful login.
- On hitting enter, you should see the sign-in, sign-up page for your app as shown in the example below:
You can customize this page as per your need from UI customization page.
- Choose Sign up.
- Enter your sign up details.
- Verify your sign up.
- On successful login, token_id is received in URL. You can use this token to access your resources that is protected by Amazon Cognito.
- To see the sign up users, go to Users and groups on the left navigation bar.