Configure AWS Cognito as OAuth / OpenID Connect provider for Drupal login

This document will help you configure AWS Cognito as an OpenID Provider making Drupal an OAuth Client. Following these steps will allow you to configure OAuth / OpenID Single Sign-On (SSO) between AWS Cognito and your Drupal site such that your users will be able to log in to your Drupal site using their AWS Cognito credentials. 

We provide Drupal OAuth & OpenID Connect Login - OAuth2 Client SSO Login module which is compatible with Drupal 7, Drupal 8, Drupal 9, and Drupal 10.

Download  Know more

Pre-requisites:

• Install and activate the OAuth & OpenID Connect Login - OAuth2 Client SSO Login module on your Drupal site. Click here to check out the module installation step.

Setup Video:

Steps to configure Drupal as OAuth Client:

• After installing the module, navigate to the Configuration tab., and click on the miniOrange OAuth Client Configuration.

  

• Provide the following information into the Configure OAuth tab: 

  • Select AWS Cognito as the OpenID Provider from the Select Application drop-down. Also, if you don't see your Application/Provider in the Select Application drop-down, you can select Custom OAuth 2.0 Provider.

    

  • Copy the Callback/Redirect URL and keep it handy.

  • Enter the AWS as the Application name in the Custom App Name text-field.

    

Configure OpenID SSO Application in AWS Cognito:

• Sign in to AWS Amazon console.

• Search for Cognito and then click on Cognito under Services.

  

• Click on Create user pool button to create new user pools. (User Pool is a user directory. Users in User Pool can access the app using AWS Cognito credentials.)

  

• Select the Provider types (keep it default if you are not sure) and the Cognito user pool sign-in options as per requirement.

  

• Select the appropriate options based on the need from the Password policy, Multi-factor authentication, and User account recovery, and click on the Next button.

  

• Select the suitable options from the Configure sign-up experience as per requirements and click on the Next button.

  

• Choose the message delivery option. Click on the Next button.

  

• Enter the User Pool name. Under the Initial app client, select the Confidential client radio button. Enter the App client name. Click on the Next button.

  

• Verify the required information, scroll down and click on Create user pool button.

• Now, search for the user pool you created and click on it.

  

• Now, lets create a user for the app.

• Click on Create user.

  

• Enter the User Information like email and password and click on Create user button.

  

• Click on App integration.

  

• Under Domain section expand Actions and click on Create Cognito domain.

  

• Enter the domain name and click on Create Cognito domain. Copy the Cognito domain it will be required later for Authorization and Access Token endpoints.

  

• Scroll down, find your app and click on it.

  

• Scroll down to Hosted UI. Click on Edit button.

  

• Under Hosted sign-up and sign-in pages, provide the following information:

  • Click the Add Callback URL button under Allowed callback URLs.

    

  • Paste the previously copied Callback/Redirect URL into the URL text field.

    If your provider only supports HTTPS Callback/Redirect URL and you have an HTTP site, just save your base site URL in the Sign In Settings tab with HTTPS.

    

  • Choose which Identity providers will be accessible to this app client.
  • Select the Authorization code grant from the OAuth 2.0 grant types dropdown.

  • Choose the appropriate OpenID Connect scopes from the dropdown, such as OpenID, Email, or Profile.

    

• Click on Save changes button.

Integrating Drupal with AWS Cognito:

• Navigate to the AWS Cognito panel.

• Copy the Client ID from the App client information section.

  

• Navigate to the Drupal site and paste the copied Client ID into the Client Id text field.

  

• Again, go back to the AWS Cognito.
• Click on the Show client secret toggle button in the App client information section.

• Then, copy the Client secret.

  

• Navigate to the Drupal site and paste the copied Client secret into the Client Secret text field.

  

• Replace the initial URL with the Cognito domain in the Authorize Endpoint and Access Token Endpoint text fields. Enable the Login with OAuth checkbox, then click on the Save Configuration button.

• The Send Client ID and Secret in header or body checkbox is used to send Client ID and Secret inside header or body of the Token End Point Request.

  

You can also refer to the AWS Cognito Endpoints and Scope from the table given below:

• The Send Client ID and Secret in Header or Body checkbox allows you to specify whether the Client ID and Secret should be included in the header or the body of the Token Endpoint Request. If you're unsure which option to select, you can stick with the default settings.

  

Test Configuration of Drupal with AWS Cognito:

• After successfully saving the configurations, now click on the Test Configuration option to check the Single Sign-On (SSO) connection between Drupal and AWS Cognito.

  

• On a Test Configuration popup, if you don't have an active session in AWS Cognito on the same browser, you will be asked to sign in to your AWS Cognito account. After successfully logging into AWS Cognito account, you will be provided with a list of attributes that are received from the AWS Cognito.

• Scroll to bottom and click on Configure Attribute / Role Mapping button.

  

• Once you clicked on the Configure Attribute / Role Mapping button, you will be auto-redirected to the Attribute & Role Mapping tab. Then, copy the attribute name that contains the email address and paste it into the Email Attribute text field. Now, click the Save Configuration button.

  

Congratulations! You have successfully configured AWS Cognito as OpenID Provider and Drupal as OAuth Client.

How to perform the SSO login?

• Now, open a new browser/private window and go to your Drupal site login page.
• Click on the Login using AWS link to initiate the SSO from Drupal.

• If you want to add the SSO link to other pages as well, please follow the steps given in the image below:

  

 Back to top