We have a requirement where we need an external partner’s users to be able to access our web application.
External Partner set up : Web app with Cognito User pool on their own AWS account
Our set up : React App with Cognito user pool (username/password authentication) on our AWS account.
The requirement is : Our partner’s users will login into the partner’s website. Once authenticated, they will land on the home page and see a link to our website.
Upon clicking the link, our webapp must be launched in a new tab, users must be verified(probably provisioned in our Cognito prior to that) and allowed access to our applications home page without the need to sign in again.
Our app is a React SPA hosted using S3/Cloudfront. We have a app client for the UI set up in Cognito. When a user attempts to access the app, they are presented with a custom login screen. Once credentials are verified(done using Amplify Auth in the React App) tokens are created in local storage and used thereon to invoke REST APIs etc.
Therefore we need to replicate similar behavior for users accessing our site from the partners website.
Have been reading articles related to SSO / OAuth 2.0 / OIDC looking for information on:
-
Does the partner need to make any config changes to their user pool
to achieve this ? -
What changes do we need to make to our user pool ?
-
How should our webapp be accessed from the Partners website(GET on
our homepage or POST some info like a token etc..) ? -
What changes do we need to make in our UI App code to accommodate
this ?
Found a article that talks about federating 2 Cognito’s :
But this set up means our partners users will have to sign in(using iDP federation) to access our app which is not the intended behavior(using SSO to be able to access both sites seamlessly).
If anyone has any solutions / pointers, kindly share, it will be much appreciated.