AWS Cognito

Prerequisites

• AWS account with appropriate IAM permissions
• Cognito User Pool created

Configuration Steps

Step 1: Access Cognito User Pool

1. Open AWS Console → Search for Cognito
2. Select User Pools from the left sidebar
3. Click on your User Pool name

Step 2: Select or Create App Client

1. In User Pool details, navigate to App integration tab
2. Scroll to App clients and analytics section
3. If you have an existing app client: Click on it to open settings, then skip to Step 3
   • If creating new: Click Create app client
     • App type: Select Confidential client
     • App client name: Enter "Frontegg AgentLink"
     • Client secret: Select Generate a client secret
     • In Authentication flows section, enable:
       • ALLOW_REFRESH_TOKEN_AUTH
       • ALLOW_USER_SRP_AUTH
     • Click Create app client

Step 3: Configure Hosted UI Settings

1. From App integration tab, scroll to App clients list
2. Click on your app client name
3. Click Edit in Hosted UI settings section
4. Configure callback URLs (add to existing or create new):
   • Allowed callback URLs:
     https://[YOUR-FRONTEGG-DOMAIN]/oauth/callback

   • Allowed sign-out URLs: (optional)
     https://[YOUR-FRONTEGG-DOMAIN]/logout

5. Configure OAuth 2.0 grants:
   • Allowed OAuth Flows:
     • Authorization code grant
   • Allowed OAuth Scopes:
     • openid
     • email
     • profile
6. Click Save changes

Step 4: Obtain Credentials

1. In app client details page, locate Client ID in App client information section
2. Copy Client ID: [alphanumeric-string]
3. Click Show client secret and copy Client Secret
4. Navigate back to User Pool details, note the User Pool ID from the overview
5. Note your AWS Region (visible in User Pool ARN)

Configuration Values for Frontegg

provider: cognito
issuer_url: https://cognito-idp.[region].amazonaws.com/[user-pool-id]
client_id: [from App Client]
client_secret: [from App Client]