Integrate with AWS Cognito

Add BindID, a passwordless authentication solution, to your web or mobile serverless app built using AWS Amplify and Amazon Cognito.

Step 1: Configure BindID

To integrate BindID with your application, you'll need to configure an application in the BindID Admin Portal (see Admin Portal: Get Started). You can either create a new application or use one that you already created.

From Applications, here is the basic client setup that is required for your application:

  • Set the allowed redirect URIs—Specify the page to which users are redirected after BindID authentication. It should have the following format:

    https://YOUR_AWS_DOMAIN.auth.us-east-1.amazoncognito.com/oauth2/idpresponse

    where YOUR_AWS_DOMAIN is your AWS Domain.

  • Get your BindID credentials—Obtain the client ID and client secret used to identify your application to the BindID Service. You'll need to provide these credentials to Amazon.

Step 2: Create Cognito User Pool

From the AWS Cognito main page, navigate to User pools and then select Create user pool. Note: The example uses bindidtest as the Pool name.

Step 3: Configure Sign-In Experience

  1. Select Federate identity providers to be used by users for sign-in.
  2. Select Email as the attribute to be used by the user to sign in.
  3. Select OpenID Connect (OIDC) as the third-party identity provider to be used to sign in with Cognito.

Note:The security requirements configuration step can be skipped (password policies and MFA can be disabled)

Step 4: Configure Sign-Up Experience

  1. Keep the Enable self-registration checkbox ON, to allow users to sign-up on the hosted UI page.

  2. Verification can be disabled as will be done by BindID.

  3. Mark email as a required attribute on user sign-up.

Note 1:The example requires to have the email address of the user as the identifying user attribute and the only identifier. Instead of AWS Cognito executing the email validation, it is BindID providing the validated attributes.

Note 2: It is recommended to use the Cognito default email address configuration (at least during development).

Step 5: Connect Federated Identity Provider

In this step, you are asked to use the BindID application attributes created in step 1.

  1. For Provider name, enter a name for the IdP, in this example we use ‘bindid’ as the provider name. This name appears in the Amazon Cognito hosted web UI.Note: You can't change this field after creating the provider. If you plan to include this field in your app or use the Amazon Cognito hosted web UI, use a name that you're comfortable with your app's users seeing.
  2. For Client ID, paste the client ID that you noted from BindID in step 1.
  3. For Client secret, paste the client secret that you noted from BindID in step 1.
  4. For Attributes request method, leave the setting as GET.
  5. For Authorized scopes, enter the OIDC scope values that you want to authorize, separated by spaces. In this configuration, we use the following required scopes - openid bindid_network_info email. For more information, see Scope values in OpenID Connect Basic Client Implementer's Guide 1.0 on the OpenID website. Important: The openid scope is required for OIDC IdPs, and you can add other scopes according to your user pool configuration. For example, if you kept email as a required attribute when creating your user pool, enter email openid to include both scopes. You can map the email attribute to your user pool later in this setup.
  6. For Issuer, paste the Issuer URL https://signin.bindid-sandbox.io.
  7. Optional: consider mapping BindID email identifiers to AWS Cognito email-based identifiers.

Step 6: Integrate Your Application

We've chosen to use an Amazon Cognito domain for the example integration. If you have a custom domain, use that here and in the following examples. Note: The domain chosen in the earlier steps is relevant for the configuration of the redirect URI in BindID and for the testing URL.

Step 7: Test Your Integration

Once you complete your BindID integration with AWS Cognito, test your integration:

  1. Navigate to the following URL:

    https://<cognito_domain>/oauth2/authorize?response_type=code&scope=openid%20email&client_id=5fetmij87ipe5p11b20unp624r&redirect_uri=https://<cognito_domain>.auth.us-east-1.amazoncognito.com/oauth2/idpresponse

  2. Authenticate with BindID using the Amazon Cognito hosted web UI.

  3. After you log in successfully, you're redirected to your app client's callback URL.

Note: After successful authentication using BindID you should now be able to see the authenticated user in the Users and Groups section of the User Pool.