skip to Main Content

I am working on a project where we have existing Google Sign-in and we would like to convert to AWS Cognito so we can get username and password authentication as well as other social logins such as Facebook in the near future. In a feature branch of our API, we have working Cognito authentication via JWT. My current issue is exchanging the Google authentication response payload for Cognito’s JWT.

In our JavaScript, I am able to get a Google authentication response object that has the tokenId field. It is my understanding that I should be able to exchange that with Cognito for their JWT that I can use for interacting with my API. I have the Google app created and configured in the Cognito User Pool.

What has been frustrating in trying to figure this out is that all the documentation seems to focus on new apps or just on the hosted UI for Cognito. I have dug through GitHub issues and blog posts that claim this should be easy. I’m hopeful I’m missing something easy.

For reference, here is the code I have to sign in with Cognito and extract the JWT.

const user = await Auth.signIn(username, password);
dispatch(addToken(user.signInUserSession.idToken.jwtToken));

This is the library we’ve used for Google Sign-in: https://www.npmjs.com/package/react-google-login.

2

Answers


  1. Have you configured Google as a federated IdP in your Cognito user pool? https://aws.amazon.com/premiumsupport/knowledge-center/cognito-google-social-identity-provider/

    Login or Signup to reply.
  2. You cannot use third party tokens on your client side and exchange them with Cognito for Userpool tokens.

    You can exchange client side third party tokens for an Identity pool token.

    I think this page on common scenarios might help you visualise the processes
    https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-scenarios.html

    You probably need to do one of two things;

    • Setup an identity pool and then exchange your google token for an identity pool token. Keep in mind an identity pool can only provide authorisation (not authentication), so if you need Userpool data out of Cognito this is not the option for you.
    • Change your approach so that Cognito does the exchange with Google. It will return you a code which you then exchange with your Userpool Token endpoint for Userpool tokens.
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search