Package com.cloudforge.core.oidc

Class CognitoOidcConfiguration

java.lang.Object

com.cloudforge.core.oidc.CognitoOidcConfiguration

All Implemented Interfaces:

OidcConfiguration

public class CognitoOidcConfiguration
extends Object
implements OidcConfiguration

OIDC configuration for Amazon Cognito User Pools.

Amazon Cognito is a standalone user directory service that provides:

• User sign-up and sign-in
• Multi-factor authentication (MFA)
• Social identity providers (Google, Facebook, etc.)
• OIDC and OAuth 2.0 support
• Built-in hosted UI

Important: Cognito and IAM Identity Center are separate systems. Use CognitoOidcConfiguration for Cognito User Pools, and IdentityCenterOidcConfiguration for IAM Identity Center.

Cognito OIDC Endpoints:

• Authorization: https://{domain}.auth.{region}.amazoncognito.com/oauth2/authorize
• Token: https://{domain}.auth.{region}.amazoncognito.com/oauth2/token
• UserInfo: https://{domain}.auth.{region}.amazoncognito.com/oauth2/userInfo
• JWKS: https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json

See Also:

• Cognito OIDC Specification

Constructor Summary

Constructors

Constructor	Description
CognitoOidcConfiguration(String region, String userPoolId, String domain, String clientId, String clientSecretArn, String redirectUrl, String adminGroupName)	Creates a Cognito OIDC configuration.

Method Summary

Modifier and Type	Method	Description
String	getAdminGroupName()	Returns the admin group name for role mapping.
String	getAuthorizationEndpoint()	Returns the OIDC authorization endpoint.
String	getClientId()	Returns the OAuth 2.0 client ID.
String	getClientSecretArn()	Returns the AWS Secrets Manager ARN for the client secret.
String	getDomain()	Returns the Cognito domain.
String	getGroupsClaim()	Returns the claim name for group membership.
String	getIssuerUrl()	Returns the OIDC issuer URL.
String	getJwksUri()	Returns the OIDC JWKS (JSON Web Key Set) endpoint.
String	getProviderType()	Returns the OIDC provider type.
String	getRedirectUrl()	Returns the redirect URL for this application.
String	getRegion()	Returns the AWS region.
String	getScopes()	Returns the OAuth 2.0 scopes requested by this application.
String	getTokenEndpoint()	Returns the OIDC token endpoint.
String	getUserInfoEndpoint()	Returns the OIDC userinfo endpoint.
String	getUsernameClaim()	Returns the claim name for username mapping.
String	getUserPoolId()	Returns the Cognito User Pool ID.
String	toString()

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface com.cloudforge.core.interfaces.OidcConfiguration

getAdditionalProperties, getApplicationUrl, getDeveloperGroupName, getEmailClaim, getFullNameClaim, getLogoutEndpoint, getViewerGroupName, isAutoCreateUsers, isGroupBasedAccessEnabled, usePkce

Constructor Details

CognitoOidcConfiguration

public CognitoOidcConfiguration(String region,
 String userPoolId,
 String domain,
 String clientId,
 String clientSecretArn,
 String redirectUrl,
 String adminGroupName)

Creates a Cognito OIDC configuration.

Parameters:

region - AWS region (e.g., us-east-1)

userPoolId - Cognito User Pool ID (e.g., us-east-1_abcdef123)

domain - Cognito domain prefix or custom domain (e.g., myapp or auth.example.com)

clientId - OAuth 2.0 client ID

clientSecretArn - Secrets Manager ARN for client secret

redirectUrl - Application callback URL

adminGroupName - Admin group name for role mapping

Method Details

getProviderType

public String getProviderType()

Description copied from interface: OidcConfiguration

Returns the OIDC provider type.

Specified by:

getProviderType in interface OidcConfiguration

Returns:

provider type (cognito, identity-center, external)

getIssuerUrl

public String getIssuerUrl()

Description copied from interface: OidcConfiguration

Returns the OIDC issuer URL. This is the base URL for the OIDC provider.

Examples:

• Cognito: https://cognito-idp.{region}.amazonaws.com/{userPoolId}
• Identity Center: https://{tenant}.awsapps.com/start

Specified by:

getIssuerUrl in interface OidcConfiguration

Returns:

issuer URL

getAuthorizationEndpoint

public String getAuthorizationEndpoint()

Description copied from interface: OidcConfiguration

Returns the OIDC authorization endpoint.

This is where users are redirected to authenticate.

Specified by:

getAuthorizationEndpoint in interface OidcConfiguration

Returns:

authorization endpoint URL

getTokenEndpoint

public String getTokenEndpoint()

Description copied from interface: OidcConfiguration

Returns the OIDC token endpoint.

This is where applications exchange authorization codes for tokens.

Specified by:

getTokenEndpoint in interface OidcConfiguration

Returns:

token endpoint URL

getUserInfoEndpoint

public String getUserInfoEndpoint()

Description copied from interface: OidcConfiguration

Returns the OIDC userinfo endpoint.

This is where applications retrieve user profile information.

Specified by:

getUserInfoEndpoint in interface OidcConfiguration

Returns:

userinfo endpoint URL

getJwksUri

public String getJwksUri()

Description copied from interface: OidcConfiguration

Returns the OIDC JWKS (JSON Web Key Set) endpoint.

This is where applications retrieve public keys to verify JWT signatures.

Specified by:

getJwksUri in interface OidcConfiguration

Returns:

JWKS endpoint URL

getClientId

public String getClientId()

Description copied from interface: OidcConfiguration

Returns the OAuth 2.0 client ID.

This is the application identifier registered with the OIDC provider.

Specified by:

getClientId in interface OidcConfiguration

Returns:

client ID

getClientSecretArn

public String getClientSecretArn()

Description copied from interface: OidcConfiguration

Returns the AWS Secrets Manager ARN for the client secret.

The client secret is stored securely in AWS Secrets Manager. Applications retrieve it at runtime using IAM permissions.

Specified by:

getClientSecretArn in interface OidcConfiguration

Returns:

Secrets Manager ARN for client secret

getRedirectUrl

public String getRedirectUrl()

Description copied from interface: OidcConfiguration

Returns the redirect URL for this application.

This is the callback URL where the OIDC provider redirects after authentication. Typically: https://{application-domain}/oauth2/callback or similar.

Specified by:

getRedirectUrl in interface OidcConfiguration

Returns:

redirect URL

getScopes

public String getScopes()

Description copied from interface: OidcConfiguration

Returns the OAuth 2.0 scopes requested by this application.

Common scopes: openid, profile, email, groups

Specified by:

getScopes in interface OidcConfiguration

Returns:

space-separated list of scopes

getUsernameClaim

public String getUsernameClaim()

Description copied from interface: OidcConfiguration

Returns the claim name for username mapping.

This JWT claim is used as the application username.

Common values: preferred_username, email, sub

Specified by:

getUsernameClaim in interface OidcConfiguration

Returns:

username claim name

getGroupsClaim

public String getGroupsClaim()

Description copied from interface: OidcConfiguration

Returns the claim name for group membership.

This is used for role-based access control in applications.

Common values: cognito:groups, groups

Specified by:

getGroupsClaim in interface OidcConfiguration

Returns:

groups claim name (optional)

getAdminGroupName

public String getAdminGroupName()

Description copied from interface: OidcConfiguration

Returns the admin group name for role mapping.

Users in this group receive admin privileges in the application.

Specified by:

getAdminGroupName in interface OidcConfiguration

Returns:

admin group name (optional)

getUserPoolId

public String getUserPoolId()

Returns the Cognito User Pool ID.

Returns:

user pool ID

getRegion

public String getRegion()

Returns the AWS region.

Returns:

region

getDomain

public String getDomain()

Returns the Cognito domain.

Returns:

domain prefix or custom domain

toString

public String toString()

Overrides:

toString in class Object