HUAWEI ID authentication on Amazon Cognito — Huawei ID Federated Identity Provider

Published in

Huawei Developers

3 min readMar 22, 2021

Cognito Hosted UI with Huawei ID sign in

Amazon Cognito provides authentication, authorization, and user management for web and mobile apps. Users can sign in directly with a user name and password, or through a third party such as Facebook, Amazon, Google or Apple.

While logging in with those providers is more straight forward on Cognito UI, we can connect more providers with OpenID Connect (OAuth 2.0 protocol).

We won’t have to worry about managing different providers with different parameters and responses. With the built-in hosted web UI, Amazon Cognito provides token handling and management for all authenticated users, so our backend systems can standardize on one set of user pool tokens.

Prerequisites

Before you begin, you need:

A user pool with an application client and a user pool domain. For more information, see Create a user pool.
A Huawei developer account registration and Verification.

Prepare your project on AppGallery Connect

To add an OIDC IdP (in our case HUAWEI ID) to a User Pool, we need to first get the client_id and client_secret.

For that, login to your AppGallery console and create a new API. Follow this guide and stop after step 3.

Instead of selecting ML Kit as in the guide, we will select Account Kit.

Click RISC and then click the enable button.

Now go Create credentials and choose OAuth2.0 client

Your OAuth 2.0 client details should like like this

Now click create and you should something like this

Now we need those to create our Identity Provider

Adding HUAWEI ID Identity Provider to a User Pool

We will use the AWS CLI to do that just to highlights the values we need to change but remember that you can do the same from your AWS console or CreateIdentityProvider API.

Run this command on your terminal after changing the values with your own

NOTE: for “authorize_scopes” you can leave openid only but if the “email” attribute is required in your user pool, you need to add “email” otherwise the authentication will fail.

Attributes Mapping (optional)

Providers might manage their attributes naming differently, this might cause an issue while using an IdP. You fix that by mapping the Huawei ID attributes to your User Pool attrabutes.