Amazon AWS offers a IdP service (Identity provider) called Cognito.

It can be used without cost (volume dependent)

Cognito offers to create and manage User-pools -> a database where you keep users

You can then register "applications" in Cognito. Your system can then by referring to this application use the Cognito user pool to authenticate users.

Cognito also allow for association of other OpenId providers to be associated with the application - the general idea is to let a built system only now about Cognito and then allow users with accounts from Google or other to be trusted with an access token to your AWS resources.

We mainly want to allow for Cognito to be used for authentication.

Cognito is an OpenIdConnect - but it requires a bit more config to integrate with Turnkey than lets say AzureAD (that also is an OpenIdConnect provider )

This is what is needed:

<OpenID_ClientId>20sg2i7fOBFUSCATEDk7c7d9de</OpenID_ClientId>
<OpenID_Authority>https://cognito-idp.<Region>.amazonaws.com/eu-west-1_jrOBFUSCATED6M</OpenID_Authority>  <OpenIDConnectRedirectUrl>https://<YourTurnkeyURL>/Account/AWSCognito</OpenIDConnectRedirectUrl>  <OpenIDConnectResponseType>code</OpenIDConnectResponseType> 
<OpenIDConnectAuthDomainUrl>https://<CognitoDomain>.auth.<Region>.amazoncognito.com</OpenIDConnectAuthDomainUrl> 

These entries must be in the TurnkeySettings.xml found in App_Data

In Cognito you set CallbackUrl to https://<YourTurnkey>/Account/AWSCognito and the Signout-url to https://<YourTurnkey>

If you have the Authority but hunt for the AuthDomainURL: Take the Authority and append .well-known/openid-configuration

Like this https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1_OLSOMETHING7/.well-known/openid-configuration

In the JSON response look for something like this:

"token_endpoint":"https://????.auth.eu-west-1.amazoncognito.com/oauth2/token"

Your AuthDomainUrl is https://????.auth.eu-west-1.amazoncognito.com in the case above