## AWS Cognito ### Prerequisites - AWS account with appropriate IAM permissions - Cognito User Pool created ### Configuration Steps #### Step 1: Access Cognito User Pool 1. Open **AWS Console** → Search for **Cognito** 2. Select **User Pools** from the left sidebar 3. Click on your User Pool name #### Step 2: Select or Create App Client 1. In User Pool details, navigate to **App integration** tab 2. Scroll to **App clients and analytics** section 3. **If you have an existing app client**: Click on it to open settings, then skip to Step 3 - **If creating new**: Click **Create app client** - **App type**: Select `Confidential client` - **App client name**: Enter "Frontegg AgentLink" - **Client secret**: Select `Generate a client secret` - In **Authentication flows** section, enable: - ALLOW_REFRESH_TOKEN_AUTH - ALLOW_USER_SRP_AUTH - Click **Create app client** #### Step 3: Configure Hosted UI Settings 1. From **App integration** tab, scroll to **App clients** list 2. Click on your app client name 3. Click **Edit** in **Hosted UI settings** section 4. Configure callback URLs (add to existing or create new): - **Allowed callback URLs**: ``` https://[YOUR-FRONTEGG-DOMAIN]/oauth/callback ``` - **Allowed sign-out URLs**: (optional) ``` https://[YOUR-FRONTEGG-DOMAIN]/logout ``` 5. Configure OAuth 2.0 grants: - **Allowed OAuth Flows**: - Authorization code grant - **Allowed OAuth Scopes**: - openid - email - profile 6. Click **Save changes** #### Step 4: Obtain Credentials 1. In app client details page, locate **Client ID** in **App client information** section 2. Copy **Client ID**: `[alphanumeric-string]` 3. Click **Show client secret** and copy **Client Secret** 4. Navigate back to User Pool details, note the **User Pool ID** from the overview 5. Note your **AWS Region** (visible in User Pool ARN) #### Configuration Values for Frontegg ```yaml provider: cognito issuer_url: https://cognito-idp.[region].amazonaws.com/[user-pool-id] client_id: [from App Client] client_secret: [from App Client] ```