Using External Identity Providers with Server Side Authentication

Lets take the Facebook example. When you use the Cognito UI, Facebook hands an OAuth token directly to Cognito for your user. Cognito does some stuff, like checking whether the user already exists, and creating a new one if required, then sends your application an AWS OAuth token.

Now if you want the Facebook button on your own website the authentication happens in a different way. You have to negotiate with Facebook yourself, get an OAuth token back for the user, then hand the access token to Cognito. Cognito will do its stuff and give you back an AWS OAuth token.

So, in short, you need to follow the Facebook SDK setup instructions: https://developers.facebook.com/docs/facebook-login/web

The Facebook SDK puts an access token in your session, which you send to Cognito.

Full details are here: https://docs.aws.amazon.com/cognito/latest/developerguide/facebook.html (See the javascript section)

EDIT: I've just come across AWS Amplify. It has a client side JS library that includes an authentication component. If you are using React, it looks like there is a really simple way to connect Federated Identities (social media logins) with Cognito https://aws-amplify.github.io/amplify-js/media/authentication_guide.html. I've not used the service so can't say too much more about it at the moment.


Your app requirements have grown passed a point of using the cookie cutter Cognito login flow.

I suggest you just handle all your authentication to cognito yourself as seen here: https://docs.aws.amazon.com/cognito/latest/developerguide/using-amazon-cognito-user-identity-pools-javascript-examples.html

This way, you can throw a facebook login button on your site like this: https://docs.aws.amazon.com/cognito/latest/developerguide/facebook.html

FB.login(function (response) {

  // Check if the user logged in successfully.
  if (response.authResponse) {

    console.log('You are now logged in.');

    // Add the Facebook access token to the Cognito credentials login map.
    AWS.config.credentials = new AWS.CognitoIdentityCredentials({
      IdentityPoolId: 'IDENTITY_POOL_ID',
      Logins: {
        'graph.facebook.com': response.authResponse.accessToken
      }
    });

    // Obtain AWS credentials
    AWS.config.credentials.get(function(){
        // Access AWS resources here.
    });

  } else {
    console.log('There was a problem logging you in.');
  }

});

Then get the user like this:

    var data = { UserPoolId : 'us-east-1_Iqc12345',
        ClientId : '12345du353sm7khjj1q'
    };
    var userPool = new AmazonCognitoIdentity.CognitoUserPool(data);
    var cognitoUser = userPool.getCurrentUser();

    if (cognitoUser != null) {
        cognitoUser.getSession(function(err, session) {
            if (err) {
                alert(err);
                return;
            }
            console.log('session validity: ' + session.isValid());
        });
    }

Additional Facebook SDK Info: https://developers.facebook.com/docs/facebook-login/web

Since your going to be going through the motions of setting up the Cognito flow in your application. An additional nugget, I highly recommend you go ahead and set up custom messages with a lambda trigger. https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-custom-message.html

Update: Coming back to this one more time.

https://docs.aws.amazon.com/sdk-for-go/api/service/cognitoidentityprovider/#CognitoIdentityProvider.AdminInitiateAuth

Here you can see a function called AdminInitiateAuth. There are also Functions for attaching users to identity providers. So while Using the JS SDK is probably the easiest, and in my opinion the solution for integrating a web app with cognito. You could clearly handle all your authentication flow, token management, create api's to signin, signout, etc.. server side with the GO SDK