Phase 6 - Authentication and DNS

1. Configure Google identity provider

  • Open Amazon Cognito Console in region us-east-1.

  • Open your user pool and go to Social and external providers.

  • Click Add identity provider. Cognito social providers entry

  • Select provider type Google.

  • Enter your Google OAuth Client ID and Client secret from Google Cloud Console.

  • Set authorized scopes: openid email profile.

  • Save changes.

  • Verify provider Google is present.

  • Verify mappings include these key fields:

    • email -> email
    • email_verified -> email_verified
    • name -> name
    • picture -> picture
    • username -> sub Cognito Google provider details Cognito Google provider mappings

2. Create Cognito user pool and app client

  • Open Amazon Cognito Console in region us-east-1.

  • Open User pools.

  • Click Create user pool. Cognito user pools entry

  • Select application type Single-page application (SPA).

  • Enter application name: myfit cognito app client.

  • In sign-in identifiers, select Email. Cognito app setup basic

  • Keep Enable self-registration selected.

  • Set required attributes to include email.

  • Enter return URL: https://myfit.click.

  • Click Create user directory. Cognito app setup and return URL

3. Configure managed login pages

  • Open your user pool, then open App clients.

  • Select app client Fitme-cognito-web-auth-service.

  • Open Edit managed login pages configuration. Cognito managed login callback URLs

  • Set Allowed callback URLs:

    • http://localhost:8081/callback
    • https://myfit.click/callback
    • myfit://callback

  • Set Default redirect URL: https://myfit.click/callback.

  • Set Allowed sign-out URLs:

    • http://localhost:8081/logout
    • https://myfit.click/logout
    • myfit://logout

  • In identity providers, select Google.

  • In OAuth 2.0 grant types, select Authorization code grant. Cognito managed login sign-out and OAuth flow

  • In OpenID Connect scopes, select:

    • email
    • openid
    • profile

  • Click Save changes. Cognito managed login OIDC scopes

4. Verify Route 53 hosted zone and records

Notice: The workshop sample domain myfit.click is already registered by our team through MatBao and is shown only as a reference. For your own setup, use your own domain and DNS zone. If you want easier end-to-end setup, you can purchase a domain directly in Route 53 (for example, myapp.com) and use that domain in all steps.

  • Open Route 53 Console - Hosted zones.

  • Confirm hosted zone myfit.click exists and type is Public. Route 53 hosted zones

  • Open hosted zone myfit.click - Records.

  • Verify core records:

    • Alias A record for myfit.click points to CloudFront domain.
    • Alias A record for api.myfit.click points to ALB domain.
    • ACM validation CNAME records for myfit.click and api.myfit.click exist.
    • Default NS and SOA records exist. Route 53 records list

5. Phase completion checklist

  1. Confirm Cognito user pool ID is us-east-1_9AoKPqZO1.
  2. Confirm app client ID is 661fm3mj7s5qcmoldri1mem9sr.
  3. Confirm callback URLs include http://localhost:8081/callback, https://myfit.click/callback, and myfit://callback.
  4. Confirm sign-out URLs include http://localhost:8081/logout, https://myfit.click/logout, and myfit://logout.
  5. Confirm supported identity provider includes Google.
  6. Confirm OAuth flow is code and scopes include email, openid, profile.