Search code examples
.netamazon-cognitoopenid-connect

How can I generate an AWS Cognito login URL w/ my OIDC integration using .NET?

My Blazor application does a great job at automatically redirecting users to the AWS Cognito login but how does it generate the login URL? I would like to create a login button that a user can click to take them to AWS Cognito but it is proving to be difficult because I do not know how to generate some of the other URL query parameters such as code_challenge. Is there some sort of OIDC/Identity service I can instantiate through dependency injection to generate a sign in URL?

TLDR: There is a lot of magic in how .NET OIDC generates a login URL and I would like to figure out how to reuse that magic without having to write code to generate the Cognito login URL manually. Is there not some sort of function built into .NET OIDC or the Authentication services that will redirect a user to a configured login portal?

Here is my OIDC configuration in my Program.cs


builder.Services.AddAuthentication(options =>
    {
        options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
        options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
    })
    .AddCookie()
    .AddOpenIdConnect(options =>
    {
        options.ResponseType = builder.Configuration["Authentication:Cognito:ResponseType"];
        options.MetadataAddress = builder.Configuration["Authentication:Cognito:MetadataAddress"];
        options.ClientId = builder.Configuration["Authentication:Cognito:ClientId"];
    })
    .AddJwtBearer(options =>
    {
        options.TokenValidationParameters = new TokenValidationParameters
        {
            ValidIssuer = builder.Configuration["Authentication:Cognito:CognitoDomain"],
            ValidateIssuerSigningKey = true,
            ValidateIssuer = true,
            ValidateLifetime = true,
            ValidAudience = builder.Configuration["Authentication:Cognito:ClientId"],
            ValidateAudience = false
        };
        
        options.MetadataAddress = builder.Configuration["Authentication:Cognito:MetadataAddress"];
    });
Solution

  • If you want to control which parameters are included in the login URL for the hosted web UI, construct the URL manually.

    1. In the Amazon Cognito console, choose Manage user pools, and then choose your user pool.
    2. In the left navigation pane, choose App integration.
    3. Copy the Domain URL to your clipboard, and then paste it into a text editor for reference.
    4. In the left navigation pane, under App integration, choose App client settings.
    5. Do the following: Under App client [name], copy the ID to your clipboard, and then paste it into a text editor for reference. Under Sign in and sign out URLs, copy the URL that you entered for Callback URL(s).
    6. Construct the URL for the hosted web UI by pasting together the information that you just copied into this format: domainUrl/login?response_type=code&client_id=appClientId&redirect_uri=callbackUrl For example: https://my-user-pool.auth.us-east-1.amazoncognito.com/login?response_type=code&client_id=a1b2c3d4e5f6g7h8i9j0k1l2m3&redirect_uri=https://my-website.com

    If you enabled Authorization code grant earlier for Allowed OAuth Flows, then using this URL prompts Amazon Cognito to return an authorization code when your users sign in. If you enabled Implicit grant for Allowed OAuth Flows earlier and you want Amazon Cognito to return an access token instead when your users sign in, then replace response_type=code with response_type=token in the URL.