Cognito Identity Provider Setup

Configure Google identity provider in Cognito with OAuth credentials.

What It Does

Updates the placeholder Google identity provider created by CDK with real OAuth credentials collected from GCP setup. This enables Google social login for user authentication.

Note: Microsoft authentication is handled directly by the application (not via Cognito) due to Cognito's strict issuer validation rejecting Microsoft's multi-tenant tokens. See outlook-setup.md for Microsoft OAuth configuration.

When to Run

After:

CDK deployment (creates Cognito with placeholder Google IdP)
GCP setup (collected /v1-orcha/cognito-google-client-*)
Update secrets (credentials stored in SSM)

Before:

First user login attempt

Prerequisites

AWS CLI configured with target account
OAuth credentials in SSM Parameter Store:
- /v1-orcha/cognito-google-client-id
- /v1-orcha/cognito-google-client-secret
Cognito User Pool ID (auto-populated by CDK in /v1-orcha/cognito-user-pool-id)

Steps

Option A: Run Setup Script (Recommended)

cd /home/volrath/code/orcha/orcha/infra

# Default: reads credentials from SSM
./scripts/setup-cognito-idps.sh --profile orcha-prod

# Dry run (show what would be updated)
./scripts/setup-cognito-idps.sh --profile orcha-prod --dry-run

The script reads credentials from SSM and updates the Cognito Google identity provider.

Option B: AWS Console (Manual)

Open AWS Console - Cognito
Select v1-orcha-user-pool
Go to Sign-in experience tab
Under Federated identity provider sign-in, click Google
Click Edit and enter:
- Client ID: (from /v1-orcha/cognito-google-client-id)
- Client secret: (from /v1-orcha/cognito-google-client-secret)
- Click Save changes

Verify

# Verify Google IdP is configured (should show real client ID, not placeholder)
aws cognito-idp describe-identity-provider \
    --profile orcha-prod \
    --region eu-central-1 \
    --user-pool-id $(aws ssm get-parameter --profile orcha-prod --region eu-central-1 --name /v1-orcha/cognito-user-pool-id --query 'Parameter.Value' --output text) \
    --provider-name Google \
    --query 'IdentityProvider.ProviderDetails.client_id' \
    --output text

Troubleshooting

"Identity provider not found"

Cause: CDK hasn't created the identity providers yet.

Fix: Ensure CDK has been deployed first. The Google identity provider is created with placeholder values during CDK deployment.

"Access denied" when updating IdP

Cause: AWS credentials don't have permission to modify Cognito.

Fix: Ensure your AWS profile has cognito-idp:UpdateIdentityProvider permission. The CDK deployment role should have this.

Cause: The redirect URI in Google Cloud Console doesn't match Cognito's callback URL.

Fix: Ensure the Google OAuth app has this exact redirect URI:

https://{cognito-domain}.auth.eu-central-1.amazoncognito.com/oauth2/idpresponse

SSM parameter not found

Cause: The OAuth credentials haven't been stored in SSM yet.

Fix:

Complete GCP setup first
Run ./scripts/update-secrets.sh --from-file secrets

Verify parameters exist:

aws ssm get-parameter --profile orcha-prod --region eu-central-1 --name /v1-orcha/cognito-google-client-id

Reference

Resource	Prod Value
User Pool Name	`v1-orcha-user-pool`
Cognito Domain	`v1-orcha-prod-auth`
Google IdP Name	`Google`
Google Redirect URI	`https://v1-orcha-prod-auth.auth.eu-central-1.amazoncognito.com/oauth2/idpresponse`
Script	`scripts/setup-cognito-idps.sh`

Authentication Architecture

Google Login:  User → App → Cognito → Google → Cognito → App
Microsoft:     User → App → Microsoft directly → App (bypasses Cognito)

Google uses Cognito's hosted UI flow. Microsoft authentication is handled directly by the application because Cognito's OIDC issuer validation rejects Microsoft's multi-tenant tokens (issuer varies by tenant ID).

gcp-setup.md - Creates Google OAuth credentials
outlook-setup.md - Microsoft OAuth setup for direct auth
update-secrets.md - Stores credentials in SSM
deploy.md - Main deployment orchestration