---
title: Amazon Cognito
description: Amazon Cognito in Zero Trust integrations.
image: https://developers.cloudflare.com/zt-preview.png
---

> Documentation Index  
> Fetch the complete documentation index at: https://developers.cloudflare.com/cloudflare-one/llms.txt  
> Use this file to discover all available pages before exploring further.

[Skip to content](#%5Ftop) 

### Tags

[ AWS ](https://developers.cloudflare.com/search/?tags=AWS) 

# Amazon Cognito

Amazon Cognito provides SSO identity management for end users of web and mobile apps. You can integrate Amazon Cognito as an OIDC identity provider for Cloudflare One.

## Prerequisites

* An Amazon Cognito [user pool ↗](https://docs.aws.amazon.com/cognito/latest/developerguide/tutorial-create-user-pool.html)

## Set up Amazon Cognito (OIDC)

### 1\. Obtain Amazon Cognito settings

The following Amazon Cognito values are required to set up the integration:

* App (client) ID
* Client secret
* Auth URL
* Token URL
* Certificate (key) URL

To retrieve those values:

1. Log in to your Amazon Cognito admin portal.
2. Go to **User pools** and select your user pool.
3. Select the **App integration** tab.
4. Under **Domain**, copy your user pool domain or [configure a new domain ↗](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-assign-domain.html).
5. Make note of the following [Amazon Cognito OIDC endpoints ↗](https://docs.aws.amazon.com/cognito/latest/developerguide/federation-endpoints.html):  
   * **Auth URL**: `https://<your user pool domain>/oauth2/authorize`  
   * **Token URL**: `https://<your user pool domain>/oauth2/token`  
   * **Certificate (key) URL**: `https://cognito-idp.<region>.amazonaws.com/<your user pool ID>/.well-known/jwks.json` (This is the **Token signing key URL** shown in **User pool overview**.)
6. Under **App client list**, select **Create app client**.
7. For **App type**, select **Confidential client**.
8. Enter an **App client name** for your application.
9. Ensure that **Generate a client secret** is selected.
10. Configure the following **Hosted UI settings**:  
   1. In **Allowed callback URLs**, add the following URL:  
   ```  
   https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/callback  
   ```  
   You can find your team name in the [Cloudflare dashboard ↗](https://dash.cloudflare.com) under **Settings** \> **Team name and domain** \> **Team name**.  
   2. Select **Identity providers** to use with this app client. At minimum, enable **Cognito user pool** as a provider.  
   3. For **OAuth 2.0 grant types**, select **Authorization code grant**.  
   4. For **OpenID Connect scopes**, select **OpenID**, **Email**, and **Profile**.
11. Select **Create app client**.
12. Next, select the app client you just created.
13. Copy its **Client ID** and **Client secret**.

### 2\. Add Amazon Cognito as an identity provider

1. In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Integrations** \> **Identity providers**.
2. Under **Your identity providers**, select **Add new identity provider**.
3. Select **OpenID Connect**.
4. Name your identity provider and fill in the required fields with the information obtained from Amazon Cognito.
5. (Optional) Enable [Proof of Key Exchange (PKCE) ↗](https://www.oauth.com/oauth2-servers/pkce/) if the protocol is supported by your IdP. PKCE will be performed on all login attempts.
6. (Optional) Under **Optional configurations**, enter [custom OIDC claims](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/generic-oidc/#custom-oidc-claims) that you wish to add to users' identity.
7. Select **Save**.

To [test](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/#test-idps-in-cloudflare-one) that your connection is working, select **Test**.

## Example API Configuration

```

{

  "config": {

    "client_id": "<your client id>",

    "client_secret": "<your client secret>",

    "auth_url": "https://<your user pool domain>/oauth2/authorize",

    "token_url": "https://<your user pool domain>/oauth2/token",

    "certs_url": "https://cognito-idp.<region>.amazonaws.com/<your user pool ID>/.well-known/jwks.json",

    "scopes": ["openid", "email", "profile"],

    "claims": ["sub", "cognito:username", "name", "cognito:groups"]

  },

  "type": "oidc",

  "name": "Amazon Cognito example"

}


```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/cloudflare-one/","name":"Cloudflare One"}},{"@type":"ListItem","position":3,"item":{"@id":"/cloudflare-one/integrations/","name":"Integrations"}},{"@type":"ListItem","position":4,"item":{"@id":"/cloudflare-one/integrations/identity-providers/","name":"Identity providers"}},{"@type":"ListItem","position":5,"item":{"@id":"/cloudflare-one/integrations/identity-providers/awscognito-oidc/","name":"Amazon Cognito"}}]}
```