AWS Cognito Service is the user management and authentication product of Amazon Cloud. It provides the plug able login functionality for any type of application. It also provides the users to sign in through external federated identity providers like Facebook, google, Login with Amazon, Sign with apple etc.
Advantages of this services.
1. We don’t have to write code for user management functionalities.
2. Free for the first 50,000 monthly active users.
3. It will provide centralize authentication.
What are the steps to create this services
1. Create a User Pool on Amazon web site
2. Create an App Client
3. Go to the domain and give some domain name
4. Go to the App Clients in general Setting and Create it like this.
You will get the Client Id and App client secret which one is required in code configuration.
5. Go to the app client setting and configure for localhost demo testing like this
6. Click on Lunch Hosted UI to test the configuration
7. You will get the popup like this
8. Now we can easily integrate this service in asp.net core mvc application or Web Api like this
Firstly create the asp.net mvc core application and install the this nuget package
9. Go to application startup page and write the code like this
public void ConfigureServices(IServiceCollection services)
{
services.AddControllersWithViews();
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie()
.AddOpenIdConnect(options =>
{
options.ResponseType = "code";
options.MetadataAddress = "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_MlmldxYuh/.well-known/openid-configuration";
options.ClientId = "1l4gbb56bdjs4h91iejj0pcvc";
options.ClientSecret = "18rjdld2hr59ca20115r7008iiacis9cco3fujsij50mlaln4t8";
});
}
In the above configuration, we have to configure the metadata URL in this format
https://cognito-idp.region.amazonaws.com/userPoolId/.well-known/openid-configuration
in the below image, from the general setting we will get the region and userpoolId.
10. Now run the application and you will get the login page like this
11. Create the profile and login in application in Aws you will get the profile like this
Chandradev's Blog 
Hi Chandra, thanks for the tutorial, seems very useful!
I’ve followed the steps you’ve laid out, but my application is getting blocked with a Cognito “redirect_mismatch” error, when it tries to authenticate.
Do you have any ideas on what further steps are needed to resolve this?
Hi Peter, having the same issue,
Have you ever solved it?
Hi Pete and Tom,
I am also getting the same issue. any luck on this.
It looks like you have missed some steps of configuration. To validate your configuration, there is option to test which one i have given in step 6 of my tutorial.
Never bothered to click on “Launch Hosted UI” Doing so quickly helped to identify a few incorrect settings. As it turned out, my AWS Console session timed out, but there was no indication that happened despite the numerous changes and SAVEs I was making to the App client settings.
I had the same issue, problem was I had not included the correct redirect:
I was using “https://localhost:44341”
When I should have been using “https://localhost:44341/signin-oidc”
Also needed to include “app.UseAuthentication();” in StartUp -> Configure() to handle that redirect.
And the UseAuthentication() needed to be before UseAuthorization() or it caused a redirect loop.
Graham, You are a life saver. I spent close to 2 days trying to figure why the API would throw 401 even when I was passing the correct token and it turned out to be your last line.. Indeed I had UseAuthorization() before UserAuthentication().
Hi All,
I ma getting the rediret_mismatch issue, has anyone faced same and figured out what could be the cause for this.
Thanks
See above: if you debug in DevConsole you see it adds /signin-oidc so change your path in Cognito itself to: smth/signin-oidc
I was using “https://localhost:44341”
When I should have been using “https://localhost:44341/signin-oidc”
How did you handle the logout? I am having issues configuring it