DEV Community

Cover image for NextAuth with AWS Cognito Email & Google Sign in

Posted on

NextAuth with AWS Cognito Email & Google Sign in

Hello, everyone πŸ‘‹

This document provide information on how to use the Next Auth library to implement email and Google sign in with AWS Cognito.

Sample code:

Understand content and code written in this document, it is helpful to be familiar with the following.

  1. AWS Cognito is Service Provider
    AWS Cognito does not offer direct support for Single Sign-On (SSO) using SAML 2.0 authentication methods. Therefore, if you intend to implement SSO with SAML 2.0, you must use a service such as Microsoft Azure or Okta (Auth0).

  2. The AWS Cognito Provider in NextAuth provide code written using the OpenID Connect authentication method.

NextAuth Cognito Provider Code

export default function Cognito<P extends CognitoProfile>(
  options: OAuthUserConfig<P>
): OAuthConfig<P> {
  return {
    id: "cognito",
    name: "Cognito",
    wellKnown: `${options.issuer}/.well-known/openid-configuration`,
    idToken: true,
Enter fullscreen mode Exit fullscreen mode

You can see that need to input the well-known (openid-configuration) URL related to OpenID Connect.

To confirm more thoroughly, shall we check the internals of the OAuthConfig?

NextAuth OAuthConfig Code

export interface OAuthConfig<P> extends CommonProviderOptions, PartialIssuer {
  wellKnown?: string
  authorization?: string | AuthorizationEndpointHandler
  token?: string | TokenEndpointHandler
  type: "oauth"
  checks?: ChecksType | ChecksType[]
  clientId?: string
  idToken?: boolean
Enter fullscreen mode Exit fullscreen mode

type is oauth and use checks type used in OAuth

If you understand OpenID Connect, you can ascertain that it supports only OAuth functionality.

If you've understood the above content, go ahead and proceed with Google Sign-In using the CognitoProvider written below.

import CognitoProvider from "next-auth/providers/cognito"

    id: 'cognito',
    name: 'Cognito',
    type: 'oauth',
    idToken: true,
    clientId: '',
    // your aws cognito client id
    clientSecret: null,
    // if your AWS Cognito secret exists, input your secret.
    // if the AWS Cognito secret is blank, input null.
    client: {
        token_endpoint_auth_method: "none"
    checks: ['state', 'nonce'],
    issuer: '',
    // your aws cognito issuer
    wellKnown: '',
    // input your aws cognito userpool id in ####
    authorization: {
        url: '####/oauth2/authorize',
        // input your aws cognito domain url in ####
        params: {
            response_type: "code",
            client_id: '',
            // your aws cognito client Id
            identity_provider: 'Google',
            scope: 'openid email profile aws.cognito.signin.user.admin',
            redirect_uri: '####/api/auth/callback/cognito'
            // your redirect url
    profile(profile, tokens) {
        return { ...profile, ...tokens }
Enter fullscreen mode Exit fullscreen mode

The redirect_uri should be set to api/auth/callback/cognito.

NextAuth handle federated token and user api for AWS Cognito OAuth 2.0.

If that's the case, how should approach email login?

To implement the SAML 2.0 authentication method, you can either access it through the IdP URL provided by another platform or handle the authentication using NextAuth credentials provider with the AWS Cognito library.

    id: 'credentials',
    name: 'credentials',
    credentials: {
        email: { label: 'email', type: 'text' },
        password: { label: 'password', type: 'password' }
    authorize(credentials) {

        const cognitoUser = new CognitoUser({
            Username: credentials?.email,
            Pool: "",
            // your aws cognito userpool

        const authenticationDetails = new AuthenticationDetails({
            Username: credentials?.email,
            Password: credentials?.password

        return new Promise((resolve, reject) => {
            cognitoUser.authenticateUser(authenticationDetails, {
                onSuccess: (session) => {
                    if (session instanceof CognitoUserSession) {
                        const userInfo = {
                            id: session.getIdToken().payload.sub,
                            email: session.getIdToken(),
                            name: session.getIdToken(),
                            idToken: session.getIdToken().getJwtToken(),
                            accessToken: session.getAccessToken().getJwtToken(),
                            refreshToken: session.getRefreshToken().getToken(),

                onFailure: (error) => {
                    if (error) {
Enter fullscreen mode Exit fullscreen mode

Thank you for reading it 😁

Sample Code:

AWS Cognito Service Provider:

Next Auth CognitoProvider Internal Library:

Top comments (0)