As you may know, with Cognito user pools, you can enable your web and mobile app users to sign up and sign in. Moreover Cognito user pools support the OAuth 2.0 authorization framework for authenticating users. For example, after you configure a domain for the user pool [1], Cognito automatically provisions a hosted UI that enables you to easily add a federated, single sign-on experience to your website. If you move a little bit deeper, you can see behind the scenes, the hosted UI accesses HTTPS endpoints (also provisioned by Amazon Cognito) that implement parts of the OAuth 2.0 framework. Therefore, apart from Cognito hosted UI, you can use the Cognito User Pools API to manage directories and users. You can authenticate a user to obtain tokens related to user identity and access policies as well. More API references are available at [2] and [3].

In terms of how Oauth 2.0 works with Cognito, I would like to share this documentation [4] , “Understanding Amazon Cognito user pool OAuth 2.0 grants”. The flow for obtaining user pool tokens varies slightly based on which grant type you use. While each of these grant types is defined by the OAuth 2.0 RFC document [5], certain details about the endpoints are open ended. Please note that the authorization code grant is the preferred method for authorizing end users.

After successful authentication, Cognito returns user pool tokens to your app. You can use the tokens to grant your users access to your own server-side resources, or to the Amazon API Gateway. Or, you can exchange them for AWS credentials to access other AWS services. [6]

User pool token handling and management for your web or mobile app is provided on the client side through Amazon Cognito SDKs. Likewise, the Mobile SDK for iOS and the Mobile SDK for Android automatically refresh your ID and access tokens if there is a valid refresh token present. For information on the SDKs, and sample code for JavaScript, Android, and iOS please see [7].