Skip to main content
Connect AWS Cognito to authenticate end users with your Char widget. Create a Cognito User Pool, configure an app client, and set up Char for token validation.

Prerequisites

  • An AWS account with access to Amazon Cognito
  • A Cognito User Pool (or permissions to create one)
  • Access to the Char dashboard

Cognito Console

Open the Amazon Cognito Console

Cognito User Pools Docs

User Pools documentation

App Client Settings

App client configuration guide

Amplify Auth Docs

AWS Amplify Authentication (Gen 2)

SDK References

aws-amplify

AWS Amplify JavaScript library

@aws-amplify/ui-react

Amplify UI React components

amazon-cognito-identity-js

Low-level Cognito Identity SDK

Configuration Steps

1

Create or Select a User Pool

  1. Sign in to the AWS Cognito Console
  2. Select User pools from the left navigation
  3. Click Create user pool or select an existing pool
When creating a new User Pool, ensure you enable the Cognito user pool sign-in option and configure email as a required attribute.
2

Create an App Client

  1. In your User Pool, navigate to App integration tab
  2. Scroll down to App clients and analytics
  3. Click Create app client
  4. Configure the app client:
SettingValue
App typePublic client
App client nameChar Widget (or your preferred name)
Client secretDon’t generate a client secret
Authentication flowsALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH
  1. Under Hosted UI settings, configure:
    • Allowed callback URLs: Your application’s callback URL(s)
    • Allowed sign-out URLs: Your application’s logout URL(s)
    • OAuth 2.0 grant types: Authorization code grant, Implicit grant
    • OpenID Connect scopes: openid, email, profile
  2. Click Create app client
3

Note Your Pool ID and Client ID

From your User Pool:
  1. User Pool ID: Found on the User pool overview page (format: region_xxxxxxxxx)
  2. Client ID: Found in App integrationApp clients section
Cognito User Pool Settings

Find your Pool ID and Client ID in the Cognito Console

4

Configure Char

In the Char Dashboard:
  1. Navigate to SettingsIntegration
  2. Under SSO Configuration, select Custom OIDC as the provider
  3. Enter your configuration:
FieldValue
Client IDYour Cognito App Client ID
Issuer URLhttps://cognito-idp.{region}.amazonaws.com/{userPoolId}
  1. Click Test Connection to verify
  2. Click Save Changes

Configuration Reference

Char FieldAWS Cognito ValueExample
Provider TypeCustom OIDCcustom_oidc
Client IDApp Client ID1a2b3c4d5e6f7g8h9i0j
Issuer URLCognito Issuerhttps://cognito-idp.us-east-1.amazonaws.com/us-east-1_AbCdEfGhI
The issuer URL format is https://cognito-idp.{region}.amazonaws.com/{userPoolId}. Replace {region} with your AWS region (e.g., us-east-1, eu-west-1) and {userPoolId} with your User Pool ID.

Token Requirements

Char validates Cognito tokens with these requirements:
ClaimRequirement
issMust match https://cognito-idp.{region}.amazonaws.com/{userPoolId}
audMust include your configured App Client ID
subRequired - used as the user identifier (Cognito user UUID)
expMust not be expired
token_useMust be id (ID token, not access token)

Standard Cognito ID Token Claims

ClaimDescription
subUnique user identifier (UUID)
emailUser’s email address
email_verifiedWhether email is verified
cognito:usernameCognito username
cognito:groupsUser’s group memberships

Example: Obtaining and Passing the Token

import { Amplify } from 'aws-amplify';
import { fetchAuthSession } from 'aws-amplify/auth';
import "@mcp-b/embedded-agent/web-component";

Amplify.configure({
  Auth: {
    Cognito: {
      userPoolId: 'us-east-1_AbCdEfGhI',
      userPoolClientId: '1a2b3c4d5e6f7g8h9i0j',
    },
  },
});

// After user signs in
async function initWidget() {
  const session = await fetchAuthSession();
  const idToken = session.tokens?.idToken?.toString();

  if (idToken) {
    const agent =
      document.querySelector("webmcp-agent") ?? document.createElement("webmcp-agent");

    if (!agent.isConnected) {
      document.body.appendChild(agent);
    }

    agent.setAttribute("auth-token", idToken);
  }
}

Cognito User Groups

If you’re using Cognito User Groups for authorization: 
// Groups are included in the cognito:groups claim
const session = await fetchAuthSession();
const idToken = session.tokens?.idToken;

// Access groups from the token payload
const groups = idToken?.payload['cognito:groups'] || [];
console.log('User groups:', groups);
Char uses the sub claim for user identification. Group memberships (cognito:groups) are available in the token but not used for authorization by Char.

Custom Domains

If you’ve configured a custom domain for your Cognito User Pool:
  1. In Cognito Console, navigate to App integrationDomain
  2. Set up your custom domain (e.g., auth.yourcompany.com)
  3. The issuer URL remains the same (cognito-idp.{region}.amazonaws.com/{poolId})
Unlike some other providers, Cognito’s issuer URL does not change when using a custom domain. Always use the standard Cognito issuer format in Char.

Troubleshooting

The issuer URL format is incorrect:
  1. Verify the format: https://cognito-idp.{region}.amazonaws.com/{userPoolId}
  2. Check the region: Ensure you’re using the correct AWS region
  3. Verify Pool ID: The User Pool ID should match exactly (case-sensitive)
  4. No trailing slash: The issuer URL should not end with /
The token’s audience doesn’t match:
  • Verify the App Client ID matches exactly
  • Ensure you’re using the ID token, not the access token
  • Check that the App Client is in the correct User Pool
Char couldn’t reach Cognito’s JWKS endpoint:
  • The JWKS URL is https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json
  • Verify your region and User Pool ID are correct
  • Use Test Connection in the dashboard
If tokens expire quickly:
  • Check your App Client’s token validity settings in App integrationApp clients
  • ID token validity can be set from 5 minutes to 1 day
  • Consider implementing token refresh before expiration
If user groups aren’t in the token:
  • Verify the user is assigned to groups in the Cognito Console
  • Check that your app client’s Read attributes includes groups
  • Groups are only included if explicitly configured

Lambda Triggers for Custom Claims

You can use Lambda triggers to add custom claims: 
// Pre Token Generation Lambda Trigger
exports.handler = async (event) => {
  // Add custom claims to the ID token
  event.response = {
    claimsOverrideDetails: {
      claimsToAddOrOverride: {
        'custom:role': event.request.userAttributes['custom:role'],
        'custom:team': event.request.userAttributes['custom:team'],
      },
    },
  };

  return event;
};
Configure this in User pool propertiesLambda triggersPre token generation.

Security Best Practices

  • Enable MFA in User Pool settings for enhanced security
  • Configure password policies with appropriate complexity requirements
  • Use AWS WAF with Cognito for additional protection
  • Enable advanced security features for adaptive authentication
  • Monitor with CloudWatch for authentication anomalies
  • Rotate app client secrets if using confidential clients (server-side)
  • Use Cognito User Groups for role-based access control