A guide to get you started with using Picket as a Federated Identity Provider for Amazon Cognito
Picket is OAuth 2.0 and OIDC compatible, which makes it easy to integrate with web2 identity providers like AWS Cognito. Picket is added to Amazon Cognito as a federated identity provider, allowing users to log in to your existing Amazon Cognito app (a.k.a User Pool) via Picket. This makes it easy to add Picket to existing Amazon Cognito apps or support multiple login methods like Picket for Web3 and Google for Web2.
You'll see the
Create New Projectbutton at the top of the Projects section of your Picket dashboard. Alternatively, you can re-use an existing project. Feel free to edit the project to give it a memorable name.
Example Project w/ Publishable and Secret Key Redacted
We're done for now! We'll revisit this project when we are setting up Picket as an identity provider in Amazon Cognito in the next section.
Old vs New AWS UI
If your Amazon Cognito looks different than the screenshots below, it is because the instruction use the latest Amazon Cognito UI. The old UI is visually different but information is the same.
For instructions on how to add a new federated identity provider to a user pool, there are step by step instructions in the AWS docs. Below is all the information you need to setup Picket as a federated OIDC identity provider as well as screenshots in case you get lost.
- Name = Picket
- Authorized scopes =
openid email profile
- Attribute request method = POST
- Setup Method = Auto fill through issuer URL
- Issuer URL = https://picketapi.com/api/v1
Picket OIDC Setup Part (1/2)
Picket OIDC Setup Part (2/2)
The mapping between Picket user attributes and your user pool is up to you. Do whatever makes sense for your application and needs. For a list of mappable user properties and their attribute names, checkout the Anatomy of an Access Token concept page.
Below is an example mapping, but again how you map Picket attributes to your application is up to you.
Example Picket OIDC Attribute Mapping
Picket Identity Provider in the New Amazon Cognito UI
Almost done! It's time to test the integration end to end.
If your app already authenticates users with AWS Cognito, you can now use Picket as an additional login method. If not, an easy way to test your integration is to use the default user pool domain.
To construct a test URL, insert the following values in the URL below
<your_user_pool_domain>= You can find your domain on the user pool Domain name console page
<your_client_id>= Client ID from your Amazon Cognito user pool client app. This is not the same as the client ID for the the Picket OIDC provider.
<your_redirect_uri>= Replace with the URI you want your user to land on after a successful or unsuccessful login. Typically this is the URI of your app. For example, if I want users to log in to Picket, I would set this to
Last but not least we need to whitelist the redirect URI for your Picket project. Whitelisting redirect URIs are a critical part of the security of the OAuth 2.0 authorization flow.
For federated identity providers, like Picket, the redirect URI you want to whitelist is typically the domain that is initiated the login request.
Example Picket Project with Redirect URI
You and your users should now be able to log into your app with their wallet of choice!
OIDC, or OpenID Connect, is an extension of the OAuth 2.0 standard. It defines APIs for accessing information about the currently logged in user.
OIDC is centered around web2 social profile information, like emails. At the time of writing this, there isn't a ubiquitous web3-native email provider or email equivalent for wallets. To maintain compatibility with OIDC and make the integration with web2 identity providers as simple as possible for our developers, we generate a web3 email address for users when they login.
This is subject to change in the future. Web3-native communication is still unsolved and we are actively monitoring for better solutions.