Create Cognito User Pool

 Create Cognito User Pool

==================================================

To create an Amazon Cognito User Pool for a REST API, do the following:

1. From the AWS Management Console, select the Cognito to get the Cognito Management Console.

2. Click on the Manage User Pools button.

3. Click on the Create a User Pool button at the top of the screen.

…..a. Enter a Pool Name (i.e., pPool) and click the Review Defaults button.

…..b. 1st screen- username, allow emails, etc. set. Standard attributes set email, name, etc. the click Next Step button

…..c. 2nd screen- password strength & complexity. Key is whether to allow users to sign up or admins only create users. Click Next Step button.

.....d. One the third screen, set MFA and email verification as desired and click the Next Step button.

.....e. On the remaining screens, click the Next Step buttons and finally click on the Create Pool button.

4. Note the Cognito User Pool Name setting for use configuring your application connection.

5. Note: by default, users can sign up for accounts themselves, but you can change this by changing the User Sign Ups Allowed setting for the Cognito User Pool.

=====================================================================

To use the Cognito sign up/in/out web pages, you need to add an App Client to the Cognito User Pool to enable the hosted web user interface:

1. From the AWS Management Console, select Cognito to get the Cognito Management Console.

2. Select the Manage User Pools button and choose the User Pool that you just created.

3. Under General Settings on the left menu, select the App Clients option.

4. Click on the Add an App Client link.

.....a. Enter an App Name (i.e., pClient) at the top of the page.

.....b. Clear the Generate Client Secret checkbox (for mobile apps).

.....c. Click on the Create App Client button.

5. Note the app client ID on the settings sheet (a generated string of letters and characters).

6. Select App Client Settings on the left menu.

7. Select Cognito User Pool as an Enabled Identity Provider.

8. Enter a callback URL for Cognito Authorization (for example https://[app_url]/core/process_login.html). This is the page Cognito returns to you after the login.

9. Enter a sign out URL for Cognito (for example https:// [app_url]/core /process_logout.html>). This is the page Cognito returns to you after the logout.

10. Select the Implicit Grant check box under Allowed OAuth Flows.

11. Select the aws.cognito.signin.user.admin check box under Allowed OAuth Scopes.

12. Click the Save Change button.

13. Click the Choose Domain link at the bottom of the screen.

14. Enter an Amazon Cognito Domain (i.e., pdomain, must be lower case) and click the Check Availability button. The URL shown will be the URL called to access the Cognito Login/Logout/Signup functions. Note and save the domain and base URL on the settings sheet.

15. Click on the Save Changes button.

16. Select App Client Settings on the left menu.

17. Test by launching the user interface by clicking on the Launch Hosted UI button.

18. Note the URL on the settings sheet. This is just a check that you have set up the Cognito pool and domain correctly, you will add a user and log in later in this process.

19. Click on the Save Changes button.

=====================================================================

This is basically and empty user pool. To test the setup using the console and create a user for testing:

1. On the Cognito management console, select the user pool created for this prototype.

2. Select App Client Settings on the left menu.

3. Click on the Launch Hosted UI link near the bottom of the screen.

4. Since this is your first time using this Cognito User Pool, click on the Sign Up button at the bottom.

5. Fill in the Username, Email and Password fields and click on the Sign Up button.

6. Cognito will send an email to the email address that you provided with a verification code that you can enter on the verification screen that pops up next then click the Confirm Account button.

7. If it succeeds, it will take you to the post-login page which may not exist yet.

=====================================================================

For other AWS resources to verify that you are logged into a group that is has the appropriate access, you need to set up a Cognito Resource Server. To define a Resource Server:

1. From the AWS Management Console, select the Cognito link to get the Cognito Management Console.

2. Click on the Manage User Pools tile & select the user pool desired.

3. Choose the Resource Servers option on the menu on the left.

.....a. Click on the Add a Resource Server button.

.....b. Enter a name for the resource server (i.e., pResServer).

.....c. Enter an identifier (i.e., pId).

.....d. Enter the names of the custom scope (i.e., pScope) and a description for the scope.

.....e. Click the Save Changes button.

4. Note the Resource Server Identifier and Custom Scope for later when configuring access to the API.

=====================================================================

Configure the Cognito User Pool to use the Custom Scope:

1. From the AWS Management Console, select the Cognito to access the Cognito Management Console.

2. Select the Manage User Pools button.

3. Select the Cognito User Pool created for this prototype.

4. Select App Client Settings on the left menu under App Integration.

5. Click the check box for the custom scope for this prototype for the resource server created under Allowed Custom Scopes.

6. Click the Save Changes button.

7. Note the URL for the user pool in the configuration information checklist for future use.