Amazon Cognito is a backend-as-a-service that lets you focus on developing the user experience for your application. To learn more and sign up for services, read Amazon Cognito and the process for creating an OpenID Connect (OIDC) provider via AWS CLI.

Configure Amazon Web Services

Get Auth0 application details

First, you’ll need to get some information about your application in Auth0:
  1. Go to Auth0 Dashboard > Applications > Applications.
  2. Select your application, and then switch to the Settings view.
  3. Record the Domain and the Client ID.

Create new OpenID Connect (OIDC) provider

In AWS, create a new (IdP):
  1. Open the IAM Console, select Identity Providers in the left sidebar, and then select Add Provider.
  2. Select OpenID Connect as the Provider Type.
  3. For the Provider URL:
    1. Enter your Domain into the Provider URL field.
    2. Enter your Client ID into the Audience field.
  4. Select Add Provider.
  5. Navigate to your newly created provider and record the Provider ARN.
It’s not necessary to set up an IAM role after creating the IdP. If you don’t have one already, Cognito will create a default IAM role when you create an Identity Pool.

Create Identity Pool

Create an Identity Pool in AWS to allow Cognito to use the Auth0 OIDC identity provider for authentication:
  1. Sign in to the Cognito Console.
  2. Select Federated Identities.
  3. For Identity Pool Name, specify a name for the pool (for example, Auth0).
  4. Under Authentication Providers, select the OpenID tab, then select the name of the provider you created in the previously.
  5. Select Create Pool, and then select Allow to finish creating the new identity pool.
  6. Under Dashboard, select Edit Identity Pool to view the Identity Pool ID.
  7. Record the ARN of the IAM role that was automatically created. This value will be used when sending credentials to Cognito.

Configure Auth0

Cognito uses the public signing key from the OpenID Provider Metadata to validate the signature of the (JWT). Confirm that your Auth0 application is configured to use the RS256 signature algorithm:
  1. Go to Auth0 Dashboard > Applications > Applications, select your application, and then switch to the Settings view.
  2. Expand the Advanced Settings section, and then switch to the OAuth view.
  3. Locate the JSON Web Token (JWT) Signature Algorithm field, and select RS256 from the dropdown menu.
  4. Select Save Changes.

Implementation

You can use the Auth0 Lock SDK to integrate Auth0 within your application. Once the user logs in with Auth0, the next step is to send their credentials to Cognito. To learn more, read Open ID Connect providers (identity pools) on AWS Docs. Cognito takes the a user receives from Auth0, and uses it to generate unique Cognito IDs. When the user logs in to Cognito through Auth0, you can store information in Cognito that only they can access.

Troubleshooting

”Invalid login token” error

If you receive a “Invalid login token” error, confirm that the Auth0 application is configured to use the RS256 signature algorithm:
  1. Go to Auth0 Dashboard > Applications > Applications, select your application, and then switch to the Settings view.
  2. Expand the Advanced Settings section, and then switch to the OAuth view.
  3. Locate the JSON Web Token (JWT) Signature Algorithm field, and select RS256 from the dropdown menu.