Cognito Hosted UI — Notes

Set up user auth quickly with the built-in Hosted UI. Use OAuth 2.0 code flow with PKCE for web apps.

Key endpoints

https://<your_domain>.auth.<region>.amazoncognito.com/login
https://<your_domain>.auth.<region>.amazoncognito.com/oauth2/authorize
https://<your_domain>.auth.<region>.amazoncognito.com/oauth2/token
https://<your_domain>.auth.<region>.amazoncognito.com/logout

Redirect URLs must be whitelisted in the App client settings.

Amplify config (Web)

import { Amplify } from 'aws-amplify';

Amplify.configure({
  Auth: {
    region: 'us-east-1',
    userPoolId: 'us-east-1_xxxxx',
    userPoolWebClientId: 'xxxxxxxxxxxxxxxxxxxx',
    oauth: {
      domain: 'your-domain.auth.us-east-1.amazoncognito.com',
      scope: ['email','openid','profile'],
      redirectSignIn: 'https://petedorc.com/callback/',
      redirectSignOut: 'https://petedorc.com/',
      responseType: 'code'
    }
  }
});

Use the code flow with PKCE in browsers. For API calls, exchange the code for tokens at the /oauth2/token endpoint.

Lock down the Hosted UI

Enable prevent user existence errors.
Enforce MFA (SMS/TOTP) for higher assurance.
Use a custom domain (Route 53 + ACM) so cookies are first-party to your site.