1

I did setup the Cognito Hosted UI, but currently, to be able to access the login screen, we have to visit this pretty ugly link

https://{...}.auth.us-east-1.amazoncognito.com/login?response_type=code&client_id={...}&redirect_uri={...}

Thats not exactly what we want, we would prefer something much cleaner (such as login.ourdomain.com, with all parameters which are not relevant to our customers obscured). We hope for something like Route 53, where we can setup nice links for our Elastic Beanstalk apps.

So I would like to ask - is this possible? And how? The information on this subject is very scarce - in one post, we learned that TLS certificate is necessary for this. We have it, but still have no idea how to set it up.

Thanks a lot.

Improve this question
1
  • Just a thought.. You could use your own hosted UI with the relevant SDK for your app. Is there a reason you want the hosted UI specifically?
    – KiteCoder
    Commented Jul 19, 2018 at 14:24

1 Answer 1

Reset to default
4

Yes it is possible to use your own domain for this. I'm going to assume you want a subdomain e.g. id.your-domain.com.

First you need to have a certificate in Amazon's "AWS Certificate Manager" for the subdomain you want to use. You can create or import a certificate in the ACM and it is quite easy to do using the console if your domain is registered via AWS. In my experience the certificate MUST be in the us-east-1 region no matter which region your user pool is in.

Once you have the certificate in the ACM go to your domain config for the hosted UI and there is a section "Your own domain" where you can enter the subdomain and select the appropriate certificate. When you click the button to create it will create a cloudfront distribution for this subdomain (with the AWS hosted UI) and give you the address of the distribution (Alias target) - copy this down. Note that it may take a few minutes for the cloudfront distribution to spin up.

Go to route53 (or however you configure DNS) and add in a record set for the domain. It should be an A record, which is an alias to the cloudfront distribution you noted above (Alias target). Create the record and go make a coffee and in 15 minutes DNS and cloudfront have hopefully sorted themselves out and you can use your domain for the hosted UI.

e.g. https://<your-domain>/login?response_type=token&client_id=<client-id>&redirect_uri=<redirect-uri>

Improve this answer
3
  • 1
    Hello, thank you for the detailed response, however, its not exactly what I am looking for. I am looking for a way to hide those ugly parameters in the url, so the users can reach the login screen using the simple address such as "login.my-domain.com", without the need to enter my client id and other parameters not relevant to them...
    – Jozef
    Commented Jul 19, 2018 at 10:17
  • @Jozef Ah I see, sorry! I think it may be possible but it's a bit hacky. Instead of putting the cloudfront distribution as the A record in DNS you could create a reverse proxy on an ec2 instance which passes everything through to the cloudfront distribution except the root request which it will add the post parameters for the default client/callback. I don't think this functionality will be standard in Cognito because AFAIK the hosted UI is supposed to support multiple clients.
    – Ravenscar
    Commented Jul 19, 2018 at 11:31
  • Thanks again, will try to set it up. Still, I dont understand why this cant be a standard functionality. Of course, we will redirect unauthorized visitors to this login page so it doesnt have to be remembered, but why cant we also be able to provide them a clean link to the login screen and hide the parameters such as clientId somewhere in the settings?
    – Jozef
    Commented Jul 19, 2018 at 12:46

Not the answer you're looking for? Browse other questions tagged or ask your own question.