I am working on a project where we have existing Google Sign-in and we would like to convert to AWS Cognito so we can get username and password authentication as well as other social logins such as Facebook in the near future. In a feature branch of our API, we have working Cognito authentication via JWT. My current issue is exchanging the Google authentication response payload for Cognito’s JWT.
In our JavaScript, I am able to get a Google authentication response object that has the tokenId
field. It is my understanding that I should be able to exchange that with Cognito for their JWT that I can use for interacting with my API. I have the Google app created and configured in the Cognito User Pool.
What has been frustrating in trying to figure this out is that all the documentation seems to focus on new apps or just on the hosted UI for Cognito. I have dug through GitHub issues and blog posts that claim this should be easy. I’m hopeful I’m missing something easy.
For reference, here is the code I have to sign in with Cognito and extract the JWT.
const user = await Auth.signIn(username, password);
dispatch(addToken(user.signInUserSession.idToken.jwtToken));
This is the library we’ve used for Google Sign-in: https://www.npmjs.com/package/react-google-login.
2
Answers
Have you configured Google as a federated IdP in your Cognito user pool? https://aws.amazon.com/premiumsupport/knowledge-center/cognito-google-social-identity-provider/
You cannot use third party tokens on your client side and exchange them with Cognito for Userpool tokens.
You can exchange client side third party tokens for an Identity pool token.
I think this page on common scenarios might help you visualise the processes
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-scenarios.html
You probably need to do one of two things;