Take the following steps to create a new application of Amazon Cognito for integrating with NGINX Plus.
Note:
The following procedure reflects the Cognito GUI at the time of publication, but the GUI is subject to change. Use this guide as a reference and adapt to the current Cognito GUI as necessary.
-
Log in to your AWS account, open the AWS Management Console, and navigate to the Cognito dashboard (you can, for example, click
Cognitoin the Security, Identity, & Compliance section of the Services drop‑down menu). -
On the Cognito dashboard, click Manage User Pools to open the Your User Pools window. Click the
Create a user poolbutton or the highlighted phrase.
-
Configure sign-in experience as the following example:
-
Configure security requirements as the following example:
Note: Select
No MFAfor your quick testing. Otherwise configure multi-factor authentication.
-
Configure sign-up experience as the following example:
Note: select additional required attributes such as
preferred_usernamebecause it is used for NGINX Dev Portal.
-
Configure message delivery as the following example:
-
Integrate your app as the following example:
Note: You can create your app either in this step or after creating a user pool.
-
Option 1. Check
Generate a client secretif you want to disable PKCE -
Option 2. Check
Don't generate a client secretif you want to enable PKCE
-
-
Review and create a user pool:
-
Click
Create user poolbutton:
-
Select a user pool (
nginx-oidc-user-pool) that you created:
-
In the tab of Users, click
Create userbutton:
-
Add a user name that you want to create:
Note: Select
Don't send an invitationfor your quick testing to create dummy email address.
-
Select a Create Cognito domain in the list after selecting the tab of App Integration:
-
Type a domain prefix in the Domain prefix field under Cognito domain (in this guide,
my-nginx-plus-oidc). Click theCreate Cognito domainbutton:
-
Check if your domain is created:
-
Select the tab of App Integration in the user pool:
-
Scroll down from the tab of App integration, and select Create app client button
-
Enter a name of app (in this guide,
nginx-oidc-appfor non-PKCE,nginx-odic-app-pkcefor PKCE) in the App client name field. Make sure that you choose one of the following options.-
Option 1. Check
Generate a client secretif you want to disable PKCE
-
Option 2. Check
Don't generate a client secretif you want to enable PKCE
-
-
Find Hosted UI settings after scrolling down, and perform the following steps:
-
4.1 In the sections of Allowed callback URLs and Allowed sign-out URLs, type the URI of the NGINX Plus instance including the port number, and ending in
/_codexchfor callback URL and/_logoutfor sign-out URL as follows.- Allowed callback URLs:
https://nginx.cognito.test:443/_codexch. - Allowed sign-out URLs:
https://nginx.cognito.test:443/_logout.
Notes:
- For production, we strongly recommend that you use SSL/TLS (port 443).
- The port number is mandatory even when you’re using the default port for HTTP (80) or HTTPS (443). But it it isn't needed if you use NGINX ACM.
- Allowed callback URLs:
-
4.2 In the OAuth 2.0 grant types section, click the Authorization code grant checkbox.
-
4.3 In the OpenID Connect scopes, click the email, openid, and profile checkboxes.
-
4.4 Click the
Save changesbutton.
-
-
Check the App client list in the tab of App integration under the user pool of nginx-oidc-user-pool to see TWO applications (#1 for non-PKCE, #2 for PKCE) are created.
-
Click one of app clients to note Client ID and Client secret for configuring NGINX Plus.
-
Option 1. Copy and note Client ID and Client secret for non-PKCE application.
-
Option 2. Copy and note only Client ID for PKCE application.
-
