
Node Express Passport Strategy for AWS Cognito using the Oauth2 Strategy

Primary LanguageJavaScriptMIT LicenseMIT


Passport strategy for authenticating and fetching profile data from AWS Cognito User pools using OAuth2 and the Amazon SDK


$ npm install passport-cognito-oauth2


Configure Strategy

The Cognito OAuth 2.0 authentication strategy authenticates requests using the OAuth 2.0 framework and retrieves user data from AWS Cognito User Pools. The strategy requires a verify callback, which accepts these credentials and calls done providing a user, as well as options specifying a consumer key, consumer secret, and callback URL.

const passport = require('passport')
const CognitoOAuth2Strategy = require('passport-cognito-oauth2');

const options = {
  callbackURL: 'https://myapp.com/auth/cognito/callback',
  clientDomain: 'https://myapp.auth.us-west-2.amazoncognito.com',
  clientID: '123-456-789',
  clientSecret: 'shhh-its-a-secret',
  region: 'us-west-2'

function verify(accessToken, refreshToken, profile, done) {
  User.findOrCreate(profile, (err, user) => {
    done(err, user);

passport.use(new CognitoOAuth2Strategy(options, verify));  
passport.serializeUser((user, done) => done(null, user));
passport.deserializeUser((obj, done) => done(null, obj));

Authenticate Requests

Use passport.authenticate(), specifying the 'cognito-oauth2' strategy, to authenticate requests.

For example, as route middleware in an Express application:

  (req,res) => res.send(req.user)  

Cognito configuration

When you create your App Client, you will need to generate an App Client Secret

Your App client settings will need:

Enabled Identity Providers: Cognito User Pool

Callback URL(s): options.callbackURL

Allowed OAuth Flows: Authorization code grant

Allowed OAuth Scopes: [openid, aws.cognito.signin.user.admin, profile]

You must also configure a Domain name for use as options.clientDomain