Cognito Setting

Amazon Cognito User Pools allows you to declare multiple client applications that can interact with your pool.

  • This includes both applications you own and apps by third party developers.
  • Each application is identified by an application id and client secret.

    Cognito User Pools also offers a hosted login UI that supports the most common user operations such as registration, login, reset passwords, and MFA. You can also customize the look and feel of the hosted UI.

Step-by-steps directions

» Add new Client application

Step 1: Go to AWS Cognito console

Step 2: Choose Manage your User Pools, click on WildRydes pool

Step 3: Open the App clients from the General settings menu on the left

Step 4: Click Add another app client

Step 5: Enter UnicornManager as the App client name and uncheck the Generate client secret checkbox


Step 6: Click Create app client

Step 7: Open the Domain name configuration page.

Step 8: Specify a unique custom domain name, for example wildrydes-sapessi

Step 9: Make sure that the domain name is available and then click Save changes

» Create new Scope in the Cognito User Pool

Amazon Cognito User Pools lets you declare custom resource servers. Custom resource servers have a unique identifier - normally the server uri - and can declare custom scopes.

You can allow custom applications to request scopes in your user pools. When users authenticate with these applications, the Cognito hosted UI takes care of authenticating the user and authorizing the action. Custom claims are automatically added to the JWT access token.

Step 1: Go to AWS Cognito console

Step 2: Choose Manage your User Pools

Step 3: Open the WildRydes pool and select Resource Servers under App integration security

Step 4: In the resource servers screen, click Add a resource server

Step 5: Specify UnicornServer as the Name

Step 6: Use UnicornManager as the Identifier for the custom resource server.

Step 7: In the Scopes section, declare a new scope called unicorn. Using “Allow listing of rides for unicorns” as the description security

Step 8: Click Save changes to create your new custom resource server

» Configure the new app client for OAuth

Amazon Cognito User Pools supports the authorization code grant, implicit, and client credentials grants.


  • Third party developers can load the Cognito hosted UI with their application ID and request any of the enabled flows.
  • As a result of a successful authentication Cognito produces and OpenID Connect-compatible identity token and a JWT access token => The access token includes the custom scopes you declared for the application.

In our example, we will use the implicit flow for the sake of simplicity. Implicit grant flows are mostly used by mobile applications. For web applications, you would normally require third party developers to host their own backend service and use the authorization code grant flow.

Step 1: Open the App clients settings from the App integration menu on the left.

This page lists both the app clients declared for your user pool. Make sure you make the following changes only to the UnicornManager client app.

Step 2: Select Cognito User Pool as an identity provider for the app client

Step 3: Enable the Implicit grant OAuth flow and allow the UnicornManager/unicorn custom scope

Step 4: In the Callback and Signout URLs, specify the HTTPS CloudFront distribution endpoint adding https:// at the beginning and / at the end

Step 5: You can find the distribution endpoint in the AWS CloudFront console

Step 6: Select the distribution we created in step #5

Step 7: In the General tab, copy the value for Domain name security

Step 8: Click Save changes