Amazon Cognito

This section contains instructions to configure Amazon Cognito to work with The Things Stack.

Configuring OpenID Connect with Amazon Cognito will allow single sign-on from any account within a Cognito user pool.

Create a User Pool

From the Amazon Cognito Management Page, choose Manage User Pools.

Click Create a user pool in the top right.

Give the user pool a name of your choosing. You will not need this later, you may pick any name.

Click Review defaults.

Leave all default settings, but click Add app client.

Click Add an app client.

Give the App Client a name and leave all settings default. Click Create app client.

You will be taken back to the App Clients screen, where you should see the App Client you just added. Click Return to pool details.

Verify that the App Client you added is listed in the pool. Click Create pool.

In the left hand menu, choose App client settings.

Ensure that Cognito User Pool is checked for Enabled Identity Providers.

For the Callback URL, enter the OAuth Callback URL of your The Things Stack deployment. This is the Server Address followed by the OAuth endpoint, which includes an Authentication Provider ID of your choosing:

/oauth/login/<authentication-provider-id>/callback

You will actually create the Authentication Provider in The Things Stack using this Authentication Provider ID, so remember it.

For example, with a tenant tenant1 in the eu1 cluster and an Authentication Provider ID of aws-cog, the OAuth Callback URL is:

https://tenant1.eu1.cloud.thethings.industries/oauth/login/aws-cog/callback

Additionally, ensure the following Allowed OAuth Scopes are checked:

  • email
  • openid
  • profile

Finally, click Save changes.

Choose Domain name from the left hand menu.

Choose a domain name. You will not need to remember it, but login will fail if no domain is configured.

Warning:
Failing to configure a domain name will cause login to fail.

Click Save changes.

Finally, go to App clients and choose your App Client to view your Client ID and Client Secret.

Proceed to Configure The Things Stack for SSO using the following information:

  • Client ID: Provided by Cognito
  • Client Secret: Provided by Cognito
  • Authentication Provider ID: Of your choosing (see above)
  • OpenID Discovery Address: https://cognito-idp.{REGION_ID}.amazonaws.com/{POOL_ID}. That should look like https://cognito-idp.eu-west-2.amazonaws.com/eu-west-2_KcLwCelr7. Your Pool ID is visible in General settings.

Troubleshooting Amazon Cognito

If you receive an error when logging in with Cognito, check the following:

  • Did you configure a Domain Name in Cognito?
  • Did you enable email, profile, and openid scopes?
  • Did you ensure Cognito User Pool is checked for Enabled Identity Providers?
← Single Sign-On Google OpenID Connect →