This reference architecture supports two authentication patterns:
- Generic, external OIDC, using an identity provider you already manage
- Amazon Cognito, created by Terraform when explicitly enabled
External OIDC is the default. The Terraform implementation does not create a Cognito identity provider unless you explicitly enable it.
Use external OIDC when:
- you already have an identity provider
- identity should remain centrally managed outside this deployment
- you want to minimize AWS-specific dependencies in the auth layer
In this mode, you create the OIDC issuer and client configuration for Poolside.
When you open the Poolside Console for the first time, it prompts for the external OIDC configuration.
Cognito is supported, but it is disabled by default.
Enable Cognito when:
- you want an AWS-native quickstart
- you do not already have an external OIDC provider prepared
- you want Terraform to create the initial auth resources for this deployment
When enabled, Terraform creates:
- a Cognito user pool
- a Cognito app client
- a Cognito hosted domain
When you initially configure the Poolside Console, it prompts for the OIDC client configuration. After terraform apply completes, retrieve the three values from the example root's outputs:
| Console field | Command |
|---|---|
| Provider URL | terraform output -raw cognito_user_pool_endpoint |
| Client ID | terraform output -raw cognito_user_pool_client_id |
| Client Secret | terraform output -raw cognito_user_pool_client_secret |
The client secret is marked sensitive. terraform output (no args) will display it as <sensitive>. Use the -raw <name> form above to retrieve the actual value for the Poolside Console.