How do I set up LinkedIn as a social identity provider in an Amazon Cognito user pool?

6 minute read
1

I want to configure LinkedIn as a social identity provider (IdP) in an Amazon Cognito user pool so that users can log in through LinkedIn.

Resolution

LinkedIn lets you authenticate your users through openID connect. Add LinkedIn as the OIDC provider in the Amazon Cognito user pool.

Create an Amazon Cognito user pool with an app client and domain name

For more information on how to create these prerequisites, see the following resources:

Create a LinkedIn app

  1. Open the developer suite on LinkedIn, and then choose Create app.
  2. On the Create an app page, complete all required and preferred fields to customize your LinkedIn app. Then, choose Create app.
  3. Choose the Auth tab. Confirm that the list includes openid, profile and email scope. These permissions allows you access the required LinkedIn user info.
    Note: If you don't see openid, profile and email scope listed, then add the product Sign In with LinkedIn using OpenID Connect to your application. This is on the Products tab of your LinkedIn Dev page.
  4. Under Application credentials in Auth tab, find the Client ID and Client Secret, and then copy them. You need both of these values when you add LinkedIn as identity provider in the user pool.
  5. Under OAuth 2.0 settings, next to Redirect URLs:, choose the pencil icon. Then, choose + Add redirect URL.
  6. Under Redirect URLs:, enter https://YourDomainPrefix.auth.region.amazoncognito.com/oauth2/idpresponse.
    Note: Replace YourDomainPrefix and region with the values for your user pool. Find them in the Amazon Cognito console on the App integration tab of your user pool.

Add an OIDC provider to your user pool

  1. Open the Amazon Cognito console.
  2. Choose your user pool. Under the Sign-in experience tab, choose Add Identity Providers.
  3. Choose OpenID Connect.
  4. Enter the details of your LinkedIn app for the OIDC provider details:
    For Provider name, enter a name (for example, LinkedIn). This name appears in the Amazon Cognito hosted web UI.
    Note: You can't change this field after you create the provider.
    For Client ID, enter the Client ID that you copied earlier from your LinkedIn application.
    For Client secret, enter the Client Secret that you copied earlier from your LinkedIn application.
    For Attributes request method, leave the setting as GET.
    For Authorize scope, enter openid profile email.
    For Issuer, enter https://www.linkedin.com.
    If you need to enter the endpoint information manually, then see the LinkedIn discovery on the LinkedIn website.
  5. Choose Create provider.

For more information, see Add an OIDC IdP to your user pool.

Map the attributes from OIDC provider to your user pool

  1. Open the Amazon Cognito console.
  2. Choose your user pool.
  3. In the Sign-in experience tab, select the LinkedIn OIDC provider that you created.
  4. Under Attribute mapping, map the userpool email attribute with the OpenID Connect attribute email.
  5. Confirm that the OIDC attribute sub maps to the user pool attribute Username.
  6. (Optional) Add any OIDC attributes that you want to pass along from LinkedIn. For example, you might map given_name and family_name to the corresponding Amazon Cognito user pool attributes.

For more information, see Specifying identity provider attribute mappings for your user pool.

Change app client settings for your user pool

  1. Open the Amazon Cognito console.
  2. Choose your user pool.
  3. Under App integration, choose App client.
  4. On the App client page, complete the following fields:
    For Callback URL(s), enter a URL where you want to redirect your users after they log in. For testing, you can enter any valid URL, such as https://example.com/.
    For Sign out URL(s), enter a URL where you want to redirect your users after they log out. For testing, you can enter any valid URL, such as https://example.com/.
    Edit the Hosted UI section, and add the OIDC provider that you created (for example, LinkedIn) as your identity provider.
    Under OAuth 2.0 grant types, select either the Authorization code grant or Implicit grant check box, or both.
    Note: The OAuth 2.0 grant types determine which values (code or token) that you can use for the response_type parameter in your endpoint URL.
    Under OpenID Connect scopes, select the email, profile, and openid check boxes.
  5. Choose Save changes.

For more information, see App client settings terminology.

Construct the endpoint URL

Use the values from your own setup to construct this endpoint URL:

https://YourDomainPrefix.auth.region.amazoncognito.com/oauth2/authorize?response_type=code&client_id=YourClientId&redirect_uri=redirectUrl

Customize the URL for your setup:

  • Replace YourDomainPrefix and region with the values for your user pool. Find them in the Amazon Cognito console on the App integration tab of your user pool.
  • If you previously selected only the Implicit grant flow for Allowed OAuth Flows, then change response_type=code to response_type=token.
  • Replace YourClientId with your app client's ID, and replace redirectUrl with your app client's callback URL. Find them in the Amazon Cognito console on the App integration tab of your user pool.

For more information, see How do I configure the hosted web UI for Amazon Cognito? and Authorize endpoint.

Test the endpoint URL

  1. Enter the constructed endpoint URL in your web browser.
  2. Choose the name of your OIDC provider (for example, LinkedIn).
  3. Choose Log in with LinkedIn. This redirects you to the LinkedIn sign-in page.

Note: If the URL redirects you to your Amazon Cognito app client's callback URL, then you're already signed in to LinkedIn.

  1. On the LinkedIn sign-in page, enter the email address (or phone number) and password for your LinkedIn account.
  2. Choose Sign in.

After you log in successfully, you're redirected to your app client's callback URL. The authorization code or user pool tokens appear in the URL in your web browser's address bar.

(Optional) Skip the Amazon Cognito hosted UI

If you want users to skip the Amazon Cognito web UI when they sign in to your app, then use this as the endpoint URL:

https://YourDomainPrefix.auth.region.amazoncognito.com/oauth2/authorize?response_type=code&identity_provider=oidcProviderName&client_id=yourClientId&redirect_uri=redirectUrl&scope=allowedOauthScopes

To customize the URL for your setup, follows these steps:

  • Replace YourDomainPrefix and region with the values for your user pool. Find them in the Amazon Cognito console on the App integration tab of your user pool.
  • If you previously selected only the Implicit grant flow for Allowed OAuth Flows, then change response_type=code to response_type=token.
  • Replace oidcProviderName with the name of the OIDC provider in your user pool (for example, LinkedIn).
  • (Optional) If you added an identifier for your OIDC provider in the Identifiers field, then replace identity_provider=oidcProviderName with **idp_identifier=**idpIdentifier. Replace idpIdentifier with your custom identifier string.
  • Replace yourClientId with your app client's ID, and replace redirectUrl with your app client's callback URL. Find them in the Amazon Cognito console on the App integration tab of your user pool.
  • Replace allowedOauthScopes with the specific scopes that you want your Amazon Cognito app client to request.
AWS OFFICIAL
AWS OFFICIALUpdated 6 months ago