How to integrate AWS Cognito with Facebook Social login?

Introduction

AWS Cognito is one of the most widely used Identity Provider. There are scenarios where a customer who uses AWS Cognito wants to support social login with Google, Facebook, Twitter or other Identity providers. In this way, a user doesn’t have to create a new profile to access that particular service or app. For ex: As an organization, I can build a product which is integrated with AWS Cognito using OIDC. If I want my users to easily access my app using their Facebook credentials, I can setup a federation between Cognito and Facebook using OIDC.

In this blog, we are going to see how to setup the federation between AWS Cognito and Facebook login using OIDC protocol. The steps for configuring this integration is posted in a YouTube video.

1. User opens a browser and types the client app URL.
2. Client app will redirect to AWS Cognito using OIDC authorization code grant. Depending on how the Cognito user pool is configured, it will show a login page with username password fields as well as a button to “Continue with Facebook”.
3. When the user clicks the “Continue with Facebook” button, AWS Cognito will redirect to Facebook login page using OIDC authorization code grant.
4. Facebook will display the login page to the user.
5. User will enter the Facebook credentials.
6. Facebook will validate the credentials and proceed to next step if it is valid.
7. Facebook will return an authorization code back to AWS Cognito.
8. AWS Cognito will make a backend API call to Facebook token endpoint to get Access token.
9. Facebook will return an Access token
10. Cognito will make a backend API call to Facebook /me endpoint to get the user details.
11. Facebook will return the user info details like givenname, lastname, name, email
12. Cognito will create a user profile in the local user pool for this Facebook user if it doesn’t exist.
13. Cognito will redirect back to Client app with an authorization code.
14. Client app will make a backend API call to Cognito’s token endpoint to get the ID and Access tokens
15. AWS Cognito will return and ID and Access tokens
16. Client app will validate the ID token, check if it is a valid user and return the web page to the browser

How to configure AWS Cognito with Facebook Social login?

Please follow this video for the step-by-step instructions

Security in Action 101

Key points to note

• When a user logs in for the first time using Facebook credentials, AWS Cognito will create a profile for that user in the local user pool. The tokens that are generated by Cognito will be based on the attribute values of Cognito user profile
• Make sure you have a Facebook developer account. Navigate to https://developers.facebook.com/ and login using your Facebook credentials to activate the developer account
• When you configure the Facebook IdP in Cognito user pool, please make sure both scopes are added — public_profile, email

• When you login for the first time to a app using Facebook login credentials, it will ask for consent.
• You can check the list of app that you accessed using your Facebook credentials by logging into facebook.com > click profile in top-right corner > settings & privacy > settings > Apps and websites. You can even revoke access to a app from this settings screen.

Thanks for reading this article. Please subscribe to the below YouTube channel and follow me in medium to learn about security and IAM.

Security in Action 101

Join Medium with my referral link - karthik

Get an email whenever karthik publishes.