# AWS Cognito Integration (OAuth 2.0)

This page explains the required AWS Cognito configuration for enabling Single Sign-On (SSO) with e6data using OAuth 2.0 Authorization Code Flow.

### **1. Prerequisites**

Before configuring the integration, ensure the following components already exist in your AWS account:

* **Cognito User Pool**\
  Your users must be managed in an existing AWS Cognito User Pool.
* **App Client for Web Applications**\
  The User Pool must have an App Client created specifically for web-based authentication.
* **Client Secret**\
  The App Client must have **Generate client secret** enabled.

### **2. Required App Client Settings**

The following authentication flows must be enabled in the App Client configuration:

#### **Authorization Flows to Enable**

| Flow                                 | Description                                                  |
| ------------------------------------ | ------------------------------------------------------------ |
| **ALLOW\_AUTHORIZATION\_CODE\_FLOW** | Required for OAuth 2.0 Authorization Code flow.              |
| **ALLOW\_REFRESH\_TOKEN\_AUTH**      | Allows users to maintain sessions without re-authentication. |

These settings can be found under:\
**Cognito User Pool → App Client → Authentication Flows**

### **3. Callback (Redirect) URLs**

After your environment is configured, e6data will share the list of callback (redirect) URLs required for the integration.

#### **Action Required**

Add the provided URLs to:\
**App Client → Hosted UI → Allowed Callback URLs**

This ensures Cognito redirects users back to the correct application endpoints after authentication.

### **4. Information Required From You**

To complete the integration, provide the following Cognito configuration details.

| Field              | Description                                    | Example                                       |
| ------------------ | ---------------------------------------------- | --------------------------------------------- |
| **Client ID**      | ID of the App Client used for SSO.             | 5hgnc4tbf82387dsx91mngs7e                     |
| **Client Secret**  | Secret generated for the App Client.           | 15e5c70p9k5h6bdf21696t35d1e2e212              |
| **User Pool ID**   | Identifier of your Cognito User Pool.          | us-west-2\_A1B2c3D4e                          |
| **Region**         | AWS region where the User Pool is hosted.      | us-east-1                                     |
| **Cognito Domain** | Hosted UI domain configured for the User Pool. | your-company.auth.us-east-1.amazoncognito.com |

### **5. Summary**

This configuration enables secure OAuth-based SSO between your Cognito User Pool and e6data. Once the required details are shared, the e6data team will finalize the integration.

###