> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-docs-event-stream-action-templates.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> How to integrate Auth0 with Amazon Cognito using an OpenID Connect (OIDC) Provider.

# Integrate with Amazon Cognito

Amazon Cognito is a backend-as-a-service that lets you focus on developing the user experience for your application. To learn more and sign up for services, read [Amazon Cognito](http://aws.amazon.com/cognito/) and the process for creating an [OpenID Connect (OIDC) provider via AWS CLI](https://docs.aws.amazon.com/cli/latest/reference/iam/create-open-id-connect-provider.html).

## Configure Amazon Web Services

### Get Auth0 application details

First, you'll need to get some information about your application in Auth0:

1. Go to [Auth0 Dashboard > Applications > Applications](https://manage.auth0.com/#/applications).
2. Select your application, and then switch to the **Settings** view.
3. Record the **Domain** and the **Client ID**.

### Create new OpenID Connect (OIDC) provider

In AWS, create a new <Tooltip tip="Identity Provider (IdP): Service that stores and manages digital identities." cta="View Glossary" href="/docs/glossary?term=identity+provider">identity provider</Tooltip> (IdP):

1. Open the [IAM Console](https://console.aws.amazon.com), select **Identity Providers** in the left sidebar, and then select **Add Provider**.
2. Select **OpenID Connect** as the **Provider Type**.
3. For the **Provider URL**:

   1. Enter your **Domain** into the **Provider URL** field.
   2. Enter your **Client ID** into the **Audience** field.
4. Select **Add Provider**.
5. Navigate to your newly created provider and record the **Provider ARN.**

<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
  It's not necessary to set up an IAM role after creating the IdP. If you don't have one already, Cognito will create a default IAM role when you create an Identity Pool.
</Callout>

### Create Identity Pool

Create an Identity Pool in AWS to allow Cognito to use the Auth0 OIDC identity provider for authentication:

1. Sign in to the [Cognito Console.](https://console.aws.amazon.com/cognito/home)
2. Select **Federated Identities**.
3. For **Identity Pool Name**, specify a name for the pool (for example, `Auth0`).
4. Under **Authentication Providers**, select the **OpenID** tab, then select the name of the provider you created in the previously.
5. Select **Create Pool**, and then select **Allow** to finish creating the new identity pool.
6. Under Dashboard, select **Edit Identity Pool** to view the **Identity Pool ID**.
7. Record the **ARN** of the IAM role that was automatically created. This value will be used when sending credentials to Cognito.

## Configure Auth0

Cognito uses the public signing key from the [OpenID Provider Metadata](https://subscription.auth0.com/.well-known/jwks.json) to validate the signature of the <Tooltip tip="JSON Web Token (JWT): Standard ID Token format (and often Access Token format) used to represent claims securely between two parties." cta="View Glossary" href="/docs/glossary?term=JSON+Web+Token">JSON Web Token</Tooltip> (JWT).

Confirm that your Auth0 application is configured to use the RS256 signature algorithm:

1. Go to [Auth0 Dashboard > Applications > Applications](https://manage.auth0.com/#/applications), select your application, and then switch to the **Settings** view.
2. Expand the **Advanced Settings** section, and then switch to the **OAuth** view.
3. Locate the **JSON Web Token (JWT) Signature Algorithm** field, and select **RS256** from the dropdown menu.
4. Select **Save Changes**.

## Implementation

You can use the [Auth0 Lock SDK](/docs/libraries#lock) to integrate Auth0 within your application.

Once the user logs in with Auth0, the next step is to send their credentials to Cognito. To learn more, read [Open ID Connect providers (identity pools) on AWS Docs](http://docs.aws.amazon.com/cognito/latest/developerguide/open-id.html).

Cognito takes the <Tooltip tip="ID Token: Credential meant for the client itself, rather than for accessing a resource." cta="View Glossary" href="/docs/glossary?term=ID+token">ID token</Tooltip> a user receives from Auth0, and uses it to generate unique Cognito IDs. When the user logs in to Cognito through Auth0, you can store information in Cognito that only they can access.

## Troubleshooting

### "Invalid login token" error

If you receive a "Invalid login token" error, confirm that the Auth0 application is configured to use the RS256 signature algorithm:

1. Go to [Auth0 Dashboard > Applications > Applications](https://manage.auth0.com/#/applications), select your application, and then switch to the **Settings** view.
2. Expand the **Advanced Settings** section, and then switch to the **OAuth** view.
3. Locate the **JSON Web Token (JWT) Signature Algorithm** field, and select **RS256** from the dropdown menu.