Power Pages Authentication Using Amazon Cognito

Overview

In today’s digital-first world, secure, seamless authentication is a cornerstone of the user experience. Microsoft Power Pages, part of the Power Platform, empowers organizations to build low-code, data-driven websites. But to truly unlock its potential, integrating external identity providers is essential. Among the many options available, Amazon Cognito stands out as a robust, scalable, and developer-friendly solution for managing user identities.

In this blog, we’ll explore why and how to add Amazon Cognito as an external identity provider in Power Pages.

Pioneers in Cloud Consulting & Migration Services

Reduced infrastructural costs
Accelerated application deployment

Get Started

Why External Identity Matters?

By default, Power Pages supports local authentication, but this approach is not recommended for production scenarios. Local accounts can quickly become difficult to manage, lack enterprise-grade security, and don’t scale well. Instead, organizations should leverage external identity providers such as Azure AD B2C, Google, LinkedIn, or Amazon Cognito.

External identity integration offers several benefits:

Single Sign-On (SSO): Users can log in with existing credentials, reducing friction.
Enhanced Security: Providers like Cognito support multi-factor authentication (MFA), token-based access, and compliance with standards like OAuth 2.0 and OpenID Connect.
Scalability: External identity systems are built to handle millions of users across applications.
Flexibility: You can integrate social logins, enterprise directories, or custom identity pools.

Amazon Cognito

Amazon Cognito is AWS’s identity management service that allows developers to add authentication, authorization, and user management to web and mobile applications. It offers two key components:

User Pools: A user directory that handles sign-up, sign-in, and user profiles.
Identity Pools: Provide temporary AWS credentials to access other AWS services, and can federate identities from multiple providers (social, enterprise, or custom).

For Power Pages, Cognito’s OpenID Connect (OIDC) support makes it a natural fit. OIDC is a widely adopted standard that Power Pages can use to authenticate users against Amazon Cognito.

Prerequisites

Before diving into the setup, ensure you have:

An active Power Pages site.
An AWS account with Cognito configured.
An Amazon Cognito User Pool was created, with an app client registered.
Basic familiarity with OAuth 2.0 and OIDC concepts.

Step-by-Step Guide

Step 1: Configure Amazon Cognito User Pool

Create a User Pool:

In the AWS Management Console, navigate to Amazon Cognito and create a new user pool. Define attributes such as email, phone number, or custom fields based on your requirements.

Set Up App Client:
1. Register an app client under the user pool.
2. Enable OAuth flows such as Authorization code grant or Implicit grant.
Define Callback URLs:

While configuring external identity in Power Pages, the URL is provided at the top as it is a callback URL. This ensures Amazon Cognito redirects users back to your site after authentication.

Configure Domain:

Amazon Cognito provides a hosted domain for sign-in. Customize it or use the default AWS-provided domain.

Step 2: Gather Required Information

From your Amazon Cognito setup, note the following details:

Issuer URL: Typically in the format https://<your-domain>.auth.<region>.amazoncognito.com.
Client ID: The app client ID you registered.
Scopes: Such as openid, email, and profile.
Secret: This is the secret key needed.

These values will be used when configuring Power Pages.

Step 3: Add Amazon Cognito as an Identity Provider in Power Pages

Navigate to Power Pages Admin Center:

Go to your site settings and select Authentication.

Add a New Identity Provider:

Choose OpenID Connect as the provider type.

Enter Amazon Cognito Details:
- Authority/Issuer URL: Paste the Amazon Cognito domain.
- Client ID: Enter the app client ID.
- Scopes: Add openid, email, profile.
- Metadata Address: This is critical. It points to Amazon Cognito’s OIDC discovery document:
  https://cognito-idp.ap-south-1.amazonaws.com/<User Pool ID>/.well-known/openid-configuration
- Redirect URL: Ensure it matches the callback URL configured in Amazon Cognito.
- Secret: Secret key provided by Amazon Cognito.
Save and Enable:

Once saved, enable the provider. Your site now supports Amazon Cognito authentication.

Step 4: Test the Integration

Navigate to your Power Pages site and click Sign In.
You should see Amazon Cognito as an option.
Authenticate using an Amazon Cognito user account.
If successful, you’ll be redirected back to Power Pages with a valid session.

Best Practices

Use HTTPS: Always secure your site with SSL/TLS.
Enable MFA in Amazon Cognito: Adds an extra layer of security.
Map Claims to Power Pages: Ensure user attributes (like email or roles) are correctly mapped to Dataverse contacts.
Monitor Logs: Use Amazon CloudWatch and Power Platform admin tools to track authentication events.

Conclusion

Integrating Amazon Cognito with Power Pages unlocks a powerful combination: low-code website development with enterprise-grade identity management. By leveraging OIDC, organizations can provide secure, seamless access to their users while maintaining flexibility to scale and adapt.

Whether you’re building a customer portal, partner site, or internal application, Amazon Cognito ensures authentication is handled reliably, leaving you free to focus on delivering value through your Power Pages site.

Drop a query if you have any questions regarding Amazon Cognito and we will get back to you quickly.

Empowering organizations to become ‘data driven’ enterprises with our Cloud experts.

Reduced infrastructure costs
Timely data-driven decisions

Get Started

About CloudThat

CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.

FAQs

1. What is the “Metadata Address” and why do I need it in Power Pages?

ANS: – The metadata address is the OpenID Connect discovery endpoint provided by Cognito. It looks like: https://cognito-idp.<region>.amazonaws.com/<user_pool_id>/.well-known/openid-configuration
Power Pages uses this address to automatically fetch all necessary endpoints (authorization, tokens, JWKS keys), as well as configuration details.

2. How do I find my Amazon Cognito User Pool ID?

ANS: – When you create an Amazon Cognito User Pool in AWS, it is assigned a unique identifier. For example, ap-south-1_jhk means the pool is in the Mumbai (ap-south-1) region and has the unique suffix jhk. You can find this ID in the Amazon Cognito console under User Pools → General Settings.

3. Can I use Amazon Cognito with multiple identity providers in Power Pages?

ANS: – Yes. Power Pages supports multiple external identity providers simultaneously. You can configure Amazon Cognito alongside others such as Azure AD B2C, Google, or LinkedIn. Users will then see multiple sign-in options on your site. This is especially useful if you want to support both enterprise logins and social accounts.

WRITTEN BY Sanket Gaikwad

Sanket is a Cloud-Native Backend Developer at CloudThat, specializing in serverless development, backend systems, and modern frontend frameworks such as React. His expertise spans cloud-native architectures, Python, Dynamics 365, and AI/ML solution design, enabling him to play a key role in building scalable, intelligent applications. Combining strong backend proficiency with a passion for cloud technologies and automation, Sanket delivers robust, enterprise-grade solutions. Outside of work, he enjoys playing cricket and exploring new places through travel.