Docs
βš™οΈ Configuration
Authentication
OAuth2-OIDC
AWS Cognito

AWS Cognito

Create a new User Pool in Cognito

image

Configure sign-in experience

Your Cognito user pool sign-in options should include User Name and Email.

image

Configure Security Requirements

You can configure the password requirements now if you desire

image

Configure sign-up experience

Choose the attributes required at signup. The minimum required is name. If you want to require users to use their full name at sign up use: given_name and family_name as required attributes.

image

Configure message delivery

Send email with Cognito can be used for free for up to 50 emails a day

image

Integrate your app

Select Use Cognitio Hosted UI and chose a domain name

image

Set the app type to Confidential client Make sure Generate a client secret is set. Set the Allowed callback URLs to https://YOUR_DOMAIN/oauth/openid/callback

image

Under Advanced app client settings make sure Profile is included in the OpenID Connect scopes (in the bottom)

image

Review and create

You can now make last minute changes, click on Create user pool when you’re done reviewing the configuration

image

image

image

image

Get your environment variables

  1. Open your User Pool

image

  1. The User Pool ID and your AWS region will be used to construct the OPENID_ISSUER (see below)

image image

  1. Go to the App Integrations tab

image

  1. Open the app client

image

  1. Toggle Show Client Secret

image

  • Use the Client ID for OPENID_CLIENT_ID

  • Use the Client secret for OPENID_CLIENT_SECRET

  • Generate a random string for the OPENID_SESSION_SECRET

The OPENID_SCOPE and OPENID_CALLBACK_URL are pre-configured with the correct values

  1. Open the .env file at the root of your LibreChat folder and add the following variables with the values you copied:
.env
DOMAIN_CLIENT=https://your-domain.com # use http://localhost:3080 if not using a custom domain
DOMAIN_SERVER=https://your-domain.com # use http://localhost:3080 if not using a custom domain
 
OPENID_CLIENT_ID=Your client ID
OPENID_CLIENT_SECRET=Your client secret
OPENID_ISSUER=https://cognito-idp.[AWS REGION].amazonaws.com/[USER POOL ID]/.well-known/openid-configuration
OPENID_SESSION_SECRET=Any random string
OPENID_SCOPE=openid profile email
OPENID_CALLBACK_URL=/oauth/openid/callback
 
# Optional: redirects the user to the end session endpoint after logging out
OPENID_USE_END_SESSION_ENDPOINT=true
# Optional: generates the nonce url parameter.
OPENID_GENERATE_NONCE=true

[!WARNING]
If Cognito is configured with an OIDC provider, i.e. federation to Entra, the OPENID_GENERATE_NONCE=true is required. Otherwise Cognito will generate it regardless and the claims validation will fail since the client didn’t provide one.

  1. Save the .env file

Note: If using docker, run docker compose up -d to apply the .env configuration changes

Auth0Azure Entra/AD